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Preface 


Product Overview 


Welcome to the Sniffer Advanced Ethernet Monitor™, the advanced network 
monitoring program that uses state-of-the-art data collection techniques. The 
Ethernet Monitor provides an accurate picture of network activity at any moment, 
or an historical record of network activity over a period of time. 


You can use this information to find traffic overloads, to plan for network 
expansion, to detect intruders, to establish performance baselines, and to distribute 
traffic more efficiently between servers. 


The Ethernet Monitor's report capabilities let you communicate this information to 
others, complete with graphics. And the Ethernet Monitor’s alarm capabilities 
ensure that you know about problems with the network or with individual stations 
before users call you to complain. 


What the Ethernet Monitor Can Do 


¢ Monitors up to 1,024 network stations, at data rates of up to 10,000 frames per 
second. 


e Generates visible and audible alarms for the entire network or for individual 
stations. It also compiles a historical alarm log. 


e Provides real-time traffic and historical information for individual stations as 
well as for the entire network. 


¢ Sorts statistics to show only those items that interest you. 
e Creates customized management reports. 


¢ Helps to identify faulty hardware and software. 


How the Ethernet Monitor Works 


The Ethernet Monitor software, which uses the network interface card to passively 
monitor network traffic, includes two basic programs: ENMONDRV and 
ENMON. ENMONDRYV is the background program that controls the network 
interface card and counts frames in the background. It is loaded into RAM as a 
terminate and stay-resident (TSR) program. ENMON is the foreground 
application that allows you to display the statistics collected by the ENMONDRV 
program, to work with alarms, to generate customized reports, and to use the 
software’s other features. Therefore, although you can monitor with just the 
background program, you need to run the Ethernet Monitor to take full advantage 
of the programs capabilities. 
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Limitations 


Note that the Ethernet Monitor monitors frames only on a single network segment. 
If your network consists of several segments connected by bridges or routers, the 
Ethernet Monitor collects statistics only for the segment to which the network 
interface card is attached. 


Although the Ethernet Monitor counts frames that contain errors, it may not be 
able to detect all errors. Keep this in mind when resolving network problems. 


How to Use this Manual 


To find specific topics, consult the Table of Contents and the Index. To help you 
find specific procedures, the Table of Contents contains a separate listing for 
procedures. The “Recommendations” entry in the Index points you to suggestions 
for getting the most from your Ethernet Monitor software. 


The manual is organized as follows: 
e Part 1. “Using the Ethernet Monitor” contains step-by-step procedures for all 
major tasks. 


¢ Part 2. “Reference” lists and briefly explains each of the following: the 
Ethernet Monitor files, the configuration program options, and all menu 
options. 


¢ Part 3. “Appendixes” provides additional information, including background 
information about networks, a functional overview of the Ethernet Monitor, a 
list of error and warning messages, information about the database format, a 
list of Ethertypes, and a list of command line options. 


This manual uses special typefaces to help you distinguish between such items as 
menu commands, filenames, system prompts, and variables. As you read this 
manual, you will see: 


¢ Menu options and the names of keys are in bold type. For example: 
Global statistics 

¢ Filenames and commands are in ALL CAPS. For example: 
ENMON.CFG 

¢ Text you should type is in BOLD CAPS. For example: 
MENU 

¢ System prompts and messages are in “quotation marks.” For example: 
“Specify the type of medium to be monitored.” 

¢ Variables, for which you insert values, are in italics. For example: 


Type the number of minutes and seconds in the mm:ss format. 
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Chapter 1. Getting Started 


This chapter provides an overview of how to use the Ethernet Monitor, as well as 
specific instructions for starting a monitoring session. Topics include: 


¢ configuring the Ethernet Monitor 

e starting the Ethernet Monitor 

* an overview of the user interface 

e starting and stopping a monitoring session 
* monitoring in the background 


Configuring the Ethernet Monitor 


The configuration settings for the Ethernet Monitor include the network card 
settings and the monitor settings. Since the default settings will work for most 
systems, you can skip to the next section unless you know you want to change 
them. 


The network card settings used by the network interface card must be unique; that 
is, no other cards in your system or devices attached to your system can use the 
same settings. If you purchase a complete system, the software and network 
interface card are properly configured at the factory. If you buy a module and the 
software, or receive an update, these settings are automatically configured to work 
with the network interface card as originally configured at the factory. You do not 
have to change them unless they conflict with other devices. 


The monitor settings determine the maximum number of stations to be monitored 
and the number of history intervals to be recorded. Keep in mind that changing 
the number of stations on the network or the number of intervals stored affects the 
amount of RAM used. For example, if you monitor 1024 stations for 100 15-minute 
intervals (the default), the ENMONDRV program requires about 70K of RAM. If 
you decrease the number of stations monitored to 75, only about 21.5K of RAM is 
required. 


Note: You can easily make configuration changes later as your needs change. 
However, the statistics from the most recent monitoring session are erased. 
Network Card Settings 


1/O Address—specifies the memory location of the host processor’s I /O port used 
to control the network interface card (PC/AT only). 


DMA Channel—specifies the memory access channel used to transfer data 
between the network card and the CPU. 


: 
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Monitor Settings 


Step 1. 


Step 2. 


Maximum Stations—(1 to 1024) determines the maximum number of stations that 
can be monitored. Initially, set this level from 10% to 20% higher than the number 
of current stations, to allow for growth and for the needs of the Ethernet Monitor 
software. 


History Length—(5 to 1750) determines the number of history intervals to be 
collected. 


Note: Increasing the number of stations to be monitored or collecting more 
intervals increases the amount of RAM used by the ENMONDRYV program. 


Address Style—(standard or DEC) determines monitoring of either standard or 
DEC stations for optimal performance. 


To configure the Ethernet Monitor: 


From the Sniffer Network Analyzer Main selection menu, move to Ethernet 
Monitor and press Enter. 


Move to Configure Ethernet Monitor and press Enter to display the Configuration 
Options view. 


Note: This menu option appears only when the monitoring program is not loaded; 
you cannot change the configuration while the Ethernet Monitor is running. You 
must first Exit the application from the main menu and Terminate Ethernet 
Monitor from the Ethernet Monitor Selection menu to access the Configure 
Ethernet Monitor selection. 
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CONFIGURATION OPTIOXS=———=—= 
Network General Copyright 1988 - 1990 


Network Card Settings Monitor Settings 


1/0 Address = 300 Maximum Stations = 1024 
DMA Channel = 6 History Length = 100 
Address Style = Standard 


==——=[se the Arrow keys to move, or ENTER to change this value== 


i 
Exit 


Figure 1. The Configuration Options view. 


Step 3. Use the Arrow keys to move to the setting you want to change. Press Enter to 
display a list of options or a dialog box that lets you enter a value. 


Step 4. Move to the correct value or type a value and press Enter. Press Esc to abort 
without changing the value. 


Step 5. Repeat these steps for any other settings you want to change. 


Step 6. Press F10 (Exit) to quit the configuration procedure. The Ethernet Monitor 
automatically saves the settings you defined to the file 
C:\ENSNIFF\ENMON.CFG. 


Starting the Ethernet Monitor 


When you start the Ethernet Monitor, you load both the background program 
ENMONDRV and the foreground application ENMON. The Ethernet Monitor 
collects statistics in the background and you have access to all of its features. 
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To start the Ethernet Monitor: 


Step 1. From the Sniffer Network Analyzer Main selection menu, move to Ethernet 
Monitor and press Enter to display the Ethernet Monitor Selection menu. 


Ethernet Monitor Selection menu 


Run Ethernet Monitor 
Install Ethernet Monitor 
Return to main menu 


Configure the Advanced Ethernet 
Monitor. 
Use arrow keys to select, then press Enter. 


Figure 2. The Ethernet Monitor Selection menu. 
Step 2. Move to Run Ethernet Monitor and press Enter to display the main menu. 


Note: You must start and stop the Ethernet Monitor from the Ethernet Monitor 
Selection menu rather than from the DOS command line. Operating the Ethernet 
Monitor from the selection menu ensures that system configuration information is 
updated, thereby ensuring proper operation of the Ethernet Monitor, Sniffer, and 
Sniffmaster I. 


The Installation Selection 
The Install Ethernet Monitor selection loads the Ethernet Monitor's TSR program 


into system memory. The Ethernet Monitor does not run in the foreground and 
none of its functions are active. 


The Terminate Selection 
The Terminate Ethernet Monitor selection appears only after the Ethernet Monitor 


has been loaded into memory. Choosing this selection ends your monitoring 
session and unloads the monitor from memory. 
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Using the Ethernet Monitor: An Overview 


This section provides a quick overview of how to use the Ethernet Monitor. The 
chapters that follow include complete step-by-step procedures for all tasks. 


Note: If you are already familiar with how to use the Sniffer Advanced Ethernet 
Monitor, you may want to skip this section. Otherwise, you may find it useful to 
follow along with this description on your keyboard. 


The Menu Structure 


All Ethernet Monitor functions are accessible through the main menu (Figure 3). 
When you first start the application, the Display option is highlighted. Options 
associated with Display are in the panel to the right. This organization is 
consistent throughout the menu structure; options associated with any highlighted 
item always appear to its right. 


lobal statistics 
Network Single station 
General Station test All stations 
Monitor filters Frame sizes 


PT 
4 

4 

4 

Histor Ethertypes ¢ 

Ethernet Sniffer Display Alarm log ¢ 
Network Monitor Alarm Global history : 


Report Station history 
Version 1.00 Manage stations 
Exit ¢#] Class 
(C) Copyright 
1988 - 1990 Network usage 


Display traffic statistics. 


=————=[se the Arrow keys to move, or ENTER to do this functioo==== 


1 10 Ne 
onitor) 


Figure 3. The Ethernet Monitor main menu. 


Moving Through the Menus 


You can move through the menu structure both vertically and horizontally. The 
highlight shows your current location. You can move through the menus by: 


e pressing the Arrow keys 
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¢ pressing the PgUp, PgDn, Home, and End keys 
* typing the first letter of the menu item’s name 


Executing Options 


You can execute certain menu options by pressing the Enter key. Available 
options are marked with an arrow to the option’s right. In the main menu in 
Figure 3, for example, the Display and Exit options can be executed when they are 
highlighted. 


Choosing Options and Defining Values 


After moving to the item you want, you can choose that item, define a value for it, 
or execute it. 


Choosing a Menu Item 


Lists from which you choose one of several options are identified by a double line 
to the list’s left. To choose, move to the option you want and press the Spacebar. 
An arrow appears to the left of the option, indicating that it is selected. For 
example, Figure 4 shows that the Alarm log item is chosen. 


Global statistics 

Single station 
Station test All stations 
Monitor filters Frame sizes 


Histor 

7eu 

Report 

Manage stations 

Exit #1! = Class 
Network usage 


Display alarms. 


Press space to select this option—= 


10 Ne 
monitor 


Figure 4. Choosing a menu item. 


; 


Chapter 1. Getting Started 


Choosing Among Values 


As you use the Ethernet Monitor, you often enter values or choose among values 
from a list. The Ethernet Monitor automatically displays the necessary dialog 
boxes or lists whenever this information is required. For example, Figure 5 shows 
how to define a particular station to be tested from a list of stations. 


TATION LIST 


Anthony Serrao 
Barbara Lemmon 
Barney Ingram 
Bill Goodman 
David Brooks 
Denise Martin 


Station test To = File Server Ed Hicks 
onitor filters File Server 
History TEEE 802.2 Fred Biddle 


Alarn DEC LOOP Helene Milici 
Report NetBIOS Jack Clayton 
Manage stations James Wylie 
More! Jill Franz 
Specify the destination station. Ken Quinn 
Linus Stanwick 
Use the Arrow keys to move, or ENTER to do this f]) Mark Ellison 
Michael Harley 
Miles Russell 
Press ESC to exit 


4 
Display <#| = XNS Echo . George Stanley 
< 


Figure 5. Choosing among values. 
Selecting and Deselecting Options 


Some views let you choose whether particular options are displayed (selected) or 
hidden (not selected). You can also choose whether a function, such as the audible 
alarm indicators, is enabled (selected) or disabled (not selected). 


You select an item by moving to the item to highlight it and pressing the Spacebar. 
A \ mark on the item’s left means the item is selected, an x means it is not selected. 
If you press the Alt and Spacebar keys together, all ¥ and x marks in the current 
view are reversed. 


Figure 6 shows that when you later display the All Stations view, active stations, 
frames, errors, and bytes will be displayed. The partner’s name and the average 
size will be hidden. 
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Graphic 


Global statistics €!] Sort by 


Single station 4 
iT stations / eS 
rame sizes ¢ 


Ethertypes ¢| x Partner's name 

Alarm log ¢ | v Frames 

Global history J v Errors 

Station history #] v Bytes 

x Average size 
More! ore! 

Display a station only if it has sent or received traffic. 


Press space to select (v) or not select (x); Alt-space inverts all 


a 10 New 
monitor’ 


Figure 6. Showing and hiding options. 


Using the Function Keys 


The Ethernet Monitor menus and views include function keys that let you move 
between displays and perform various actions. 


From menus, you can use the following function keys: 


F1 (Help)— displays the main Help menu, a submenu, or a description of the 
displayed view. 


F3 (Display)—displays the statistics chosen with the Display menu item. This key 
is visible only after you start a monitoring session. 


F10 (New monitor/Stop monitor)—starts or stops a monitoring session. This key 
toggles between the two functions. 


From views, you can use the following function keys to navigate between menus 
and options. All other keys are unique to particular views and are described in the 
procedures related to that view. 


F5 (Menus)—returns you to the main menu. 
F6 (Display (Edit) options/Return)—lets you choose views, display options, or edit 


options without returning to the main menu. This key toggles with “Return,” 
which returns you to the view. 
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Using On-Line Help 


Step 1. 


Step 2. 


Step 3. 


The Ethernet Monitor provides an on-line help facility that puts information about 
the following topics at your fingertips: 


e About help 

¢ Moving around the menu tree 
¢ Selecting menu items 

¢ Using the function keys 

e Testing connectivity 

¢ Monitoring network traffic 

¢ Setting monitor filters 

¢ Specifying history information 
¢ Displaying statistics 

e Alarm settings 

e Using the report writer 

¢ Managing station information 


To use the on-line help facility: 


Press F1 (Help) to display the help menu or relevant submenu. If you press F1 
when one of the Ethernet Monitor views is displayed, a description of that view 


appears. 


In a help menu, move to the topic for which you want additional information and 
press Enter. 


To scroll through explanatory text, press the up and down Arrow keys. 


Press Esc to return to the help menu. Press Esc again to exit the help facility. 


Starting a Monitoring Session 


When you start a monitoring session, the Ethernet Monitor creates a database by 
adding the addresses of any stations it detects to a list in memory. When you 
assign names to these addresses (as described in Chapter 4, “Managing the 
Ethernet Monitor Database”), those names are also added to the file 


STARTUP.END. 


Note: Unless you name your stations, the collected addresses are lost if you 
unload the ENMONDRV program. 


Before starting a monitoring session, you have three choices: 


¢ which stations you wish to monitor (all stations or a single station) 
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e which station you wish to collect history statistics for (all stations and a single 
station) 


e the history interval 


Specifying Which Stations to Monitor 


In most cases, you want to monitor all stations, which gives you the option of 
displaying statistics for any or all stations. However, to perform an in-depth 
analysis for important stations such as servers, the Ethernet Monitor lets you 
restrict monitoring to one station and to those stations that communicate with it. 


Specifying History Options 


The Ethernet Monitor collects history statistics for the network as a whole, as well 
as for any one station or address you specify (the Broadcast address is the default 
when you first start up). 


The history interval defines the time between samples, when the values 
accumulated since the last interval are recorded. For example, if you define a 5- 
minute interval, the Ethernet Monitor records the accumulated statistics every five 
minutes and then starts again at 0. (For information about how to display history 
Statistics, see Chapter 3, “Displaying Statistics.”) 


You can compile history statistics for up to 30 days, depending on the number of 
intervals you specify with the History length option in the configuration program. 
By examining history statistics over a period of time, you can get an overview of 
when the network was busy, at what time of the day stations generated errors, and 
so on. 


Note: Designating a different station or changing the interval setting erases the 
history statistics, but leaves other statistics intact. To save this information, 
generate a report, as described in Chapter 6 “Creating Reports.” 


To start a monitoring session: 


Step 1. Decide which stations to monitor. 


a. Move to Monitor filters in the main menu. 
b. Move to the All stations or the Stn = options and press the Spacebar. 


c. Ifyou chose Stn =, press Enter to display the station list, move to the station to 
be monitored, and press Enter again. 


Note: The first time you start monitoring, there won't be any addresses in this 
list except for those in the original STARTUP.END file. To add new stations, 
you can either edit this file with an ASCII text editor, or you can start 
monitoring; any active stations on the network will be added to the database 
automatically. You can then select them from the list. 


The Ethernet Monitor monitors only the specified station and those stations 
that communicate with it. 
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Step 2. 


Step 3. 


Step 4. 


Decide for which stations to collect history statistics and (or) change the history 
interval. 


a. Move to History in the main menu. 


Move to Stn = and press Enter to display the station list. Move to the desired 
station and press Enter. 


c. Move to Interval = and press Enter to display the dialog box where you can 
enter a new value. Type the number of minutes and seconds in the mm:ss 
format (between 00:05 and 60:00) to define the interval and press Enter. Press 
Esc to abort without changing the interval. 


Press function key F10 (New monitor) to start monitoring. Note that the key label 
changes to “Stop monitor.” 


As the Ethernet Monitor monitors the network, it adds all addresses it detects to 
the database. Until you assign names to these addresses, the Ethernet Monitor 
generates unknown station alarms when it detects them. (For information about 
editing the database, see Chapter 4, “Managing the Ethernet Monitor Database.”) 


To see the results of the monitoring, press F3 (Display). 
The Global Statistics view appears, which is updated continuously as traffic is 


monitored. This is only one of several ways to look at collected statistics, as 
described in Chapter 3, “Displaying Statistics.” 


Stopping a Monitoring Session 


When you stop a monitoring session, the ENMONDRV program stops monitoring, 
but remains in RAM. In addition, the following things happen: 
e The label of function key F10 changes to “New monitor.” 


¢ The clock in the upper left corner of the display shows “ENDED,” followed by 
the time you pressed F10. 


e Any statistics are lost when you start the next monitoring session. (Chapter 6, 
“Creating Reports,” tells you how to save statistics.) 


To stop a monitoring session: 


Press F10 (Stop monitor). 


Monitoring in the Background 


You can run a monitoring session in the background while running another 
application provided that application does not use the network card. For example, 
you cannot run the Sniffer Network Analyzer while running the Ethernet Monitor 
in the background. In addition, you can run a monitoring session in the 
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Step 1. 
Step 2. 
Step 3. 
Step 4. 


Step 5. 


background but you cannot display statistics or use any of the other Ethernet 
Monitor features. Also, to stop the monitoring session without losing the statistics 
you collected, you have to run the Ethernet Monitor. 

In addition, if you are monitoring in the background and the number of alarms 
generated exceeds the thresholds set for audible indicators, you will hear a clicking 
sound. To turn off the clicking or to clear alarms from the alarm buffer, you must 
run the Ethernet Monitor. 

Note: Although alarms may trigger the audible indicators while you monitor in 
the background, these alarms are not logged to a printer or to disk. (For a more 
detailed discussion of alarms, see Chapter 5, “Working with Alarms.”) 

To start a monitoring session in the background: 

Type MENU from the DOS command line to display the Main Selection menu. 
Move to Ethernet Monitor to display the Ethernet Monitor Selection menu. 

Move to Run Ethernet Monitor to start your monitoring session. 

Move to Exit to display the Main Selection menu. 


Move to Return to DOS to display the DOS prompt. 


To display or review the collected statistics, run the Ethernet Monitor by repeating 
steps 1-3 above. 
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Chapter 2. Testing the Network 


You can use the Ethernet Monitor to isolate and identify network problems. This 
chapter provides some tips on how to make troubleshooting easier and tells you 
how to test connectivity between the Sniffer station and various stations on the 
network. 


Troubleshooting Tips 


You'll find troubleshooting easier if you take the time to become familiar with 
normal traffic patterns and if you make sure that your stations are named. (The 
views referred to in this section are detailed in Chapter 3, “Displaying Statistics.”) 


Know Your Network 


Determining what’s wrong is much easier when you are familiar with typical 
network patterns before there is a problem. Significant deviations from these 
patterns often indicate a problem. 


To establish a picture of typical network patterns, note the following items when 
you first start working with the Ethernet Monitor: 


¢ heavy and light traffic periods 


Monitor traffic at 30-minute intervals over a period of time, between one day to 
one week. Then use the Global History view to analyze various periods. 


® test protocols to which each station responds 


Use the Station test feature to test each protocol with each station and note to 
which protocol each station responds. If there are connectivity problems in the 
future, it helps to know that a station normally responds to a particular test 
frame. 


° typical frame size distributions 


Use the Frame Sizes view to examine typical frame size patterns. Deviations in 
this pattern are often the result of bringing new applications on-line. If you 
know the typical frame size ranges, you can observe the impact of such 
network changes. You can also investigate changes in patterns to very high or 
low values immediately. Use the All stations view, sorted by frames, to get 
further information. 


* typical Ethertype distributions 


As with frame size patterns, uncharacteristically high or low values may 
indicate problems with stations that typically use specific Ethertypes. 


Note: For determining patterns, longer intervals like 30 minutes to one hour are 
often more meaningful because any spikes are averaged. 


(eat) ie 
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Name Your Stations 


Any unnamed stations in the database trigger unknown station alarms, which 
makes the alarm relatively useless. If your stations are named, however, this alarm 
alerts you to intruders or to possible problems with network bridges or bad cards. 
(For information about naming stations, see Chapter 4, “Managing the Ethernet 
Monitor Database.) 


Testing Connectivity 


Note: If your system has a second slot and you want to use NetBIOS software, you 
can install an additional card to use the NetBIOS feature. 


If your network software supports the IEEE 802.2, XNS Echo, DIX Loop (Ethernet 
V2), or NetBIOS protocols, you can test connectivity with specific stations. In this 
way, you can determine which stations have problems communicating with the 
Ethernet Monitor station. 


With the IEEE 802.2, XNS Echo, and DIX Loop protocols, the Ethernet Monitor 
displays a dialog box that tells you whether or not the designated station 
responded. If you use the NetBIOS software, the Ethernet Monitor displays 
additional statistics designed to help you understand the status of your network, 
as shown in Figure 7. 


Network Adapter Status 
Station Address: 02070103A6DC 


Version: 0x0001 


Minutes Active: 


Traffic Statistics Station Resources 


CRC Errors 0 Free Command Blocks 12 
Alignment Errors 0 Max. Free Command Blocks 255 
Resource Exhaustions 0 Max. Configured NCB 12 
Successful Receives 73 Pending Sessions 0 
Collisions 0 Max. Pending Sessions 6 
Aborted Transmissions 3 Max. Sessions 10 
Retransmissions 60 Max. Data Packet Size 1024 
Successful Transmits 12 Number of Local Names 1 


Name Table 


Press ESC to sto —————————— 


Figure 7. Sample NetBIOS screen. 
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Step 1. 
Step 2. 


Step 3. 


To test connectivity: 
Move to Station test in the main menu. 


Move to the To = field and press Enter to display the station list. Move to the 
station you want to test and press Enter. 


Move to a protocol selection and press Enter to run the test. 


Using the protocol you selected, the Ethernet Monitor sends a test frame to the 
selected station and waits for a response. A dialog box appears that shows 
whether the station responded. If you used the NetBIOS option, you also see the 
information shown in Figure 7. 
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Chapter 3. Displaying Statistics 


This chapter describes how to display the results of the Ethernet Monitor's 
monitoring activities. This feature lets you choose what you want to see and how 
you want to see it. 


You can display traffic statistics for the entire network (global statistics), traffic 
Statistics for a single station, or statistics for every station on the network, sorted to 
your specifications. You can also display a breakdown of frame sizes and 
Ethertypes used, as well as a listing of alarms generated during the monitoring 
session. In addition, you can display history statistics for the entire network or for 
a specific station. 


Note: After you start monitoring, pressing F3 (Display) displays whatever 
statistics you selected in the Display submenu. The default setting when you first 
start the Ethernet Monitor is Global statistics, which displays the Global Statistics 
view. 


This chapter provides an overview of the display options that apply to the 
different views, as well as instructions for displaying: 


¢ Global statistics 

e Station statistics 

e Sorted statistics for all stations 
e The frame size distribution 

e The Ethertype distribution 

e The alarm log 

¢ Global history statistics 

e Station history statistics 


Display Options: An Overview 


Display options exist on two levels. First, you choose which statistics to display 
from the Display submenu, such as the Global Statistics view or the Alarm Log 
view. Second, you also have additional options for some views. This includes 
choosing between a numeric or graphic view, the class of statistics displayed 
(transmissions, receptions, or both), and absolute or relative network usage. 
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Table 1 summarizes the options that apply to each view. These options are 
explained in more detail below. 


Table 1. Specifying display options. 


Network 
usage: 
Absolute, 
Relative 


re a 
ee ee 
a ee 
re ee 
ae a 


*option applies only to graphic view 


Class: To, 
From, Both 


Numeric or 


Graphic 


Numeric vs. Graphic Display 


The numeric and graphic display options determine whether statistics are 
displayed solely as columns of numbers or whether values are plotted on a graph 
for a visual overview of network usage. 


For each graphic view, you can scale the usage axis by pressing function keys F7 
(Scale up), F8 (Scale down), or the up or down Arrow keys. When you scale down, 
the bar graphs become shorter. When you scale up, the bar graphs become taller to 
show the greatest level of detail. Overflow is shown as a triangle on top of the 
graph. 


Class Option: To, From, or Both 


For each station, the Class option determines whether statistics are displayed for 
transmitted frames (From), received frames (To), or both (Both). If this option 
applies, the title of the view identifies the chosen option, such as “Absolute Traffic 
From Stations.” 
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Note: When you choose the Both option, usage percentages can add up to 200% 
because the Ethernet Monitor counts each frame twice, once for the source address 
and once for the destination address. 


Using either the To or From option can lead to statistics that are misleading, since 
the two can be very unbalanced. For example, a station might transmit a brief 
request and receive a huge file in return. 


Therefore, you should use the Both option in most cases for an accurate picture of 
network activity. This option shows which stations generate traffic and how traffic 
is balanced. You can use this information to assign stations to balance traffic 
between servers. 


Note: An example of the From option's usefulness is shown when you display or 
sort by errors. This provides the most accurate picture of which stations are 
transmitting errors. The To option might be useful when comparing the size of 
frames sent to the servers to those transmitted by the servers. 


Network Usage Option: Absolute vs. Relative 


The Network usage option determines whether the statistics are measured as a 
portion of the total network capacity (absolute) or as a portion of the total traffic 
(relative). If this option applies, the view’s title identifies the chosen option, such 
as “Absolute Traffic from Stations.” 


In general, use the Absolute option only when traffic approaches the limits of the 
network’s capacity, to determine when it is time to split the network. Otherwise, 
the Relative option usually provides the best picture of a station’s impact on the 
network. 


Absolute usage shows statistics as a portion of the total network capacity (its upper 
limit), which remains constant. Absolute usage is that portion of the total capacity 
used. For example, if all stations together use 10% of the total capacity, absolute 
usage is 10%. 


Relative usage is a fraction of the absolute usage. Therefore, if one station is 
responsible for all the traffic, its relative usage is 100%. However, if three stations 
generate traffic in equal amounts, relative usage for each is 33%. 


To use another example, assume that a ferry boat can carry 300 people across a 
bay. Thus, it has an absolute capacity of 300. Ona given day 100 of its passengers 
are engineers, 100 are students, and 100 are artists. Since the ferry is full, absolute 
usage is 100%. Each occupational category comprises 33% of the ferry’s relative 
usage. If all the students stay at home one day, absolute usage drops to about 67%. 
However, the relative usage of both engineers and artists rises from 33% to 50%. 
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Displaying Global Statistics 


This view displays traffic statistics for the entire network as they are updated, 
either in numeric or graphic format. 


In the numeric view, statistics displayed include traffic counts, error counts, and 
timestamps. In the top portion of the screen, counts on the left show the amount of 
cumulative activity monitored since the monitor operation was started. Counts on 
the right show activity in the last second. 


LOBAL STATISTICS 07 14:49:52 
Traffic Counts 


Total Stations 26 Active Stations 
Average Usage 0.90 % Current Usage 
Total Frames 3, 500 Current Frames 
Total Bytes 510,509 Current Bytes 
Avg Frame Size 145 Avg Frame Size 


Error Counts Timestamps 


CRC Errors Monitor Started Mar 07 14:49:07 
Alignment Errors Monitor Active 0 day(s) 00:00:45 
Total Frame Errors 

First Activity Mar 07 14:49:08 
Unsaved Frames Last Activity Mar 07 14:49:52 
Missed Frames Network Active 0 day(s) 00:00:44 


Count Overflows 
5 6Disply OFreeze—i0 Stop 
Menus fifoptions displaygmonitor 
Figure 8. The Numeric Global Statistics view. 


If the count for total frame errors is high, use the Display All stations option to see 
if any stations are transmitting an unusually high number of errors. Note that the 
number of total frame errors may exceed the number of CRC and alignment errors 
because it is not always possible to attribute each error to a category. The total 
error count also includes frame fragments (less than 60 bytes long). 


As in the numeric view, the top portion of the graphic view shows traffic counts, 
both cumulative and for the last second. The bottom portion shows absolute 
network usage plotted as a graph and updated at one-second intervals. You can 
scale the usage axis by pressing function keys F7 (Scale up), or F8 (Scale down), or 
by using the up or down Arrow keys to display the optimal level of detail. 
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LOBAL STATISTICS? A$ var 07 14:51:48 
Traffic Counts 


Total Stations 26 Active Stations 
Average Usage f Current Usage 
Total Frames 5 Current Frames 
Total Bytes Current Bytes 
Avg Frame Size Avg Frame Size 


A 
b 
s 
U 
s 
a - 
g 
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Figure 9. The Graphic Global Statistics view. 
To display global statistics: 


Move to Display in the main menu. 


Move to Global statistics and press the Spacebar. An arrow appears to indicate 
that the option is selected. 


Move to the Numeric or Graphic option and press the Spacebar. 


Press F3 (Display) to display the statistics. Statistics are updated until you press 
F10 (Stop monitor). 


Note that, in the graphic view, you can scale the usage axis by pressing F7 (Scale 
up), F8 (Scale down), or the up or down Arrow keys. For the greatest level of 
detail, scale up as far as possible. 


Press F9 (Freeze display) to stop updates to the screen temporarily to make it easier 
to study specific statistics. The clock in the upper right corner is stopped as well. 
However, the Ethernet Monitor continues updating and compiling statistics in the 
background. 


To redisplay the current statistics, press F9 again. The screen clears and updating 
continues. 


Press F5 (Menus) to return to the main menu or F6 (Display options) to change 
how the statistics display. 


Sniffer Advanced Ethernet Network Monitor User's Manual 


Displaying Station Statistics 


This view displays traffic statistics to and from specific stations as they are 
updated, either in numeric or graphic format. 


In the numeric view, the top left column identifies the station to which these 
statistics apply, as well as the station’s two most recent partners. The top right 
column shows combined transmission and reception activity, the lower left portion 
shows transmission activity, and the lower right portion shows reception activity. 


Figure 10 displays traffic to and from a single station. 


SINGLE STATION Mar 07 
Traffic TO and FROM Station 
Current Usage 0 
Station: File Server Average Usage 
Total Frames 
Last sent to: Helene Milici Total Errors 
Last rev from: Jack Clayton Total Bytes 
Avg Frame Size 


Traffic FROM Station Traffic TO Station 


Current Usage : Current Usage 0.24 % 
Average Usage . Average Usage 0.33 % 
Total Frames Total Frames 4,781 
Total Errors 4 Total Errors 3 
Total Bytes Total Bytes 889, 024 
Avg Frame Size 121 Avg Frame Size 185 
Start Time Mar 07 14:49:08 Start Time Mar 07 14:49:08 
End Time Mar 07 14:52:38 End Time Mar 07 14:52:38 
Elapsed 0 day(s) 00:03:30 Elapsed 0 day(s) 00:03:30 


5 6Disply OFreeze—i0 Stop 
Menus foptions| displayfimonitor 
Figure 10. Numeric Single Station view. 


Note: The term “transmission” refers to the source address, or the station from 
which the frames were sent. The term “reception” refers to the destination 
address, or the station to which the frames are being sent. To illustrate this 
distinction, display the station statistics for the Broadcast address. Since Broadcast 
is only used as a destination address, you only see traffic in the “Traffic TO 
Station” category. 


In the graphic view, the bottom portion shows either absolute or relative network 
usage plotted as a graph and updated at one-second intervals. The top portion 
displays either receptions, transmissions, or both, depending on whether you 
selected To, From, or Both with the Class option. Figure 11 shows a graphic view 
of the statistics for a single station. 
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SINGLE STATION4H——____—-Mar 07 14:54:20 
Traffic TO and FROM Station 
Current Usage 1.02 % 
Station: File Server Average Usage 
Total Frames 
Last sent to: Ed Hicks Total Errors 
Last rev from: Jack Clayton Total Bytes 
Avg Frame Size 


A 
b 
s 
U 
s 
a 
g 
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6Displyf/ Scale¥8 Scale™iorreezegi0 Stop 
Menus fMoptions™ up down fidisplayfimonitor 


Figure 11. Graphic Single Station view. 


To display station statistics: 
Step 1. Move to Display in the main menu. 
Step 2. Move to Single station and press the Spacebar. 


Step 3. Move to the Stn = field and press Enter to display the station list. Move to the 
station you want to monitor and press Enter again. 


Step 4. Define how statistics are displayed. 
a. Move to the Numeric and Graphic options and press the Spacebar. 
b. To display the Class and Network usage options, press the down Arrow key. 


c. Move to Network usage, and then to either Absolute or Relative, depending 
on whether you want to show statistics as a portion of the total network 
capacity or as a portion of the current total traffic. Press the Spacebar to select 
one of the options. 


d. Ifyou select the Graphic option, you can also define the Class options. Move 
to either To, From, or Both, depending on whether you want to display 
statistics for receptions, transmissions, or both. Press the Spacebar. 


Step 5. Press F3 (Display) to display the statistics. Statistics are updated until you press 
F10 (Stop Monitor). 


Note that, in the graphic view, you can scale the usage coordinates by pressing F7 
(Scale up), F8 (Scale down), or by using the up or down Arrow keys. For the 
greatest level of detail, scale up as far as possible. 


Step 6. Press F9 (Freeze display) to stop updates to the screen temporarily to make it easier 
to study specific statistics. The clock in the upper-right corner is stopped as well. 


(Sat) - 
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However, the Ethernet Monitor continues updating and compiling statistics in the 
background. 

To redisplay the current statistics, press F9 again. The screen clears and updating 
continues. 

Press F5 (Menus) to return to the main menu or F6 (Display options) to change 
which statistics displays. 


Displaying Sorted Statistics for All Stations 


This view displays only those statistics that interest you and sorts them according 
to a sort key you specify, in either ascending or descending order. 


The numeric view displays stations sorted in a variety of ways. This is useful for 
comparing stations or for finding stations that match certain criteria. 


Figure 12 shows an example of sorted statistics that include the station, the number 
of frames, errors, and bytes, and the percentage of absolute network usage. These 
Statistics were sorted in descending order by the number of frames. 


Mar 07 14:55:27, 


rABSOLUTE TRAFFIC STATISTICS TO AND FROM STATIONS 


Station Frames Errs Bytes Size Usage 
1 File Server 16, 165 22 2,514,582 155 0.52 
2 Print Server 11,164 16 {. 581, 102 144 30.33 
3 Barney Ingram 1,215 0 125, 823. 103 0.02 
4 Alex Zwick 1,207 3 180, 628 149 0.03 
5 James Wylie 1,196 3 168, 731 141 0.03 
6 Michael Harley 1,189 0 117, 314 98 = 0.02 
7 Tom Brown 1,181 0 168, 966 143 #8 0.03 
8 Jill Franz 1,178 4 129 703 104 #=0.02 
Q Miles Russell 1,174 3 156, 930 133. 0.03 
10 George Stanley 1,173 2 393,606 335 0.08 
11 Wes Harding 1,172 0 123,884 105 0.02 
12 Jack Clayton 1,172 2 171,788 146 0.03 
13 Ken Quinn 1, 169 2 132" 403 113 0.02 
14 Linus Stanwick 1,159 1 118, 018 «101 = #8=60.02 
15 Barbara Lemmon 1,152 3 122,630 106 0.02 
16 Fred Biddle 1,145 0 335, 790 293 0.07 M 
17 Anthony Serrao 1,145 0 156, 601 136 =6.:0.03 o 
18 Denise Martin 1,144 0 161,632 144 0.03 r 
Ed Hicks 1,143 2 385,421 337 0.08 e 
Steven Anderson 1.435 0 120,851 106 0.02 4 


eS ara 
Prev—4 Nextfi5 6Disply OFreeze—il0 Stop 
Help Teathe Stationg Menus bptlon displayfimoni tor 


Figure 12. Numeric All Stations view. 


In the numeric view, you can display any of the following statistics: 


e Partner's name—the last station that communicated with each station. 


¢ Frames—the total number of frames transmitted, received, or both during a 
monitoring session. This shows the overall impact of each station on the 
network. 
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e Errors—the total number of frames with errors. This count can help to 
determine which stations may have hardware problems. 


¢ Bytes—the total number of bytes transmitted, received, or both. 
e Average Size—the average frame size transmitted, received, or both. 


¢ Network Usage—the percentage of network usage, averaged over time since 
the monitoring session started. If you select Both with the Network usage 
option, percentages can add up to 200% because each frame is counted twice. 


e First activity—the time the first frame was sent or received. 
¢ Last activity—the time the most recent frame was sent or received. 
e Elapsed activity—the time between the first and last activity. 


Note: If you select more options than can fit on the screen, use the left or right 
Arrow keys to scroll into view hidden portions of the screen. Pressing Control- 
Arrow moves you to the far right or left of any screen. 


The graphic All Stations view displays network usage of up to 10 stations at a time. 
You can determine which stations to display by the sort key. For example, you can 
choose Errors as the sort key to show network usage for the 10 stations that contain 
the most errors. To see more than the 10 stations, use the right or left Arrow keys. 


Although the graph shows usage for all three classes (To, From, and Both), the 
statistics listed below the graph are derived from the selected class; that is, they 
show either transmissions, receptions, or both. The view’s title identifies which 
class of statistics is displayed. 


Figure 13, for example, shows the stations with the highest amount of relative 
network usage for both transmissions and receptions. Note that the statistics 
below the graph are derived from the transmission and reception counts, while the 
graph shows all three classes (To, From, and Both) for each of the listed stations. 
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RELATIVE TRAFFIC STATISTICS TO AND FROM STATIONS————-——Mar 09 16:48: 
50 rkd 


5 6 7 


4 
Legend: BOTH FROM TO 


22 6 George Stanley 

16 7 Mark Ellison 
0.11 8 Robert Hayes 

Ed Hicks i Q9 Tom Brown 


File Server 66 
Print Server 33. 
Fred Biddle 1 


Alex Zwick 40 10 James Wylie 


————— lo 
4 Next 6Disply§/7 Scalesis |Scale9Freeze—i10 Stop 
Stationfistation§ Menus foptions™ up down fidisplayfmonitor 
Figure 13. Graphic All stations view. 
To display and sort selected statistics: 


Move to Display in the main menu. 


Move to All stations and press the Spacebar. Note that additional options appear 
on the right. 
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Ascending 
Descending 


Station test Numeric 
Monitor filters lobal statistics ¢ | Graphic 
Histor Single station ¢ 
Display a iT stations Aaa 
arn rame S1zes ¢ 
Report Ethertypes JV Active stns only 
Manage stations Alarm log 
Exit €1| || Global history x Partner's name 
Station history #] v Frames 
J Errors 


orel Morel 
Display a sorted list of traffic statistics for all stations. 


Press space to select this option 


10 New 
monitor 


Figure 14. The All stations submenus. 


Step 3. Define how statistics are displayed. 
a. Press the down Arrow key to display the Class and Network usage options. 


b. Move to Class, and then to either To, From, or Both, depending on whether 
you want to display statistics for receptions, transmissions, or both. Press the 
Spacebar to select one of the options. 


c. Move to Network usage, and then to either Absolute or Relative, depending 
on whether you want to show statistics as a portion of the total network 
capacity or as a portion of the current traffic. Press the Spacebar. 


d. Move to the Numeric and Graphic options and press the Spacebar to select the 
type of view. 


e. Move to the Ascending and Descending options and press the Spacebar to 
select the sort order. 


Step 4. For the numeric view only, define which statistics will be displayed. 


a. Move to Active stns only and press the Spacebar to toggle the selection. A . 
means only active stations will be displayed; an x means all stations will be 
displayed. 

b. Move to any other options you wish to display and press the Spacebar to 
toggle the selection. 


Step 5. Define the sort key. Move to Sort by, then to the statistic you want to use as a sort 
key and press the Spacebar. 
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Step 6. 


Step 7. 


Step 8. 


For example, if you select Frames, the Ethernet Monitor sorts all stations by the 
number of frames and displays them from highest to lowest or vice versa, 
depending on whether you chose the Descending or Ascending option. 


Note: To sort by network usage, select the Bytes option. 


In the graphic view, the graph shows all classes, but the statistics beneath the 
graph are based on either transmissions, receptions, or both. 


Press F3 (Display) to display the sorted statistics you specified. If there are too 
many options to fit on the screen in the numeric view, use the right or left Arrow 
keys to scroll them into view. 


Note that, in the graphic view, you can scale the usage coordinates by pressing F7 
(Scale up), F8 (Scale down), or by using the up or down Arrow keys. For the 
greatest level of detail, scale up as far as possible. 


To display stations either higher or lower in the sort order, press F3 (Prev station) 
or F4 (Next station). 


Press F5 (Menus) to return to the main menu or F6 (Display options) to change 
which statistics display or how they display. 


Displaying Frame Sizes 


This view displays how many frames fall into each of the predefined size 
categories and what percentage of frames each size category comprises. The graph 
illustrates these numbers for a visual overview. You can use this information to 
determine how to configure your network’s software buffers. 


eT EE 


Size Frames Percent 60 80 100 


60 24.23 

61- 128 44.84 
129- 256 
257- 512 
513-1024 
1025-1514 
over 1514 


6Disply OFreeze—10 Stop 
Menus fMoptions display—imonitor 


Figure 15. The Frame Sizes view. 
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To display frame sizes: 
Step 1. Move to Display in the main menu. 
Step 2. Move to Frame sizes and press the Spacebar. 
Step 3. Press F3 (Display) to display the frame size distribution. 


Step 4. Press F5 (Menus) to return to the main menu or F6 (Display options) to change 
which statistics display. 


Displaying Ethertypes 
This view displays the number and percentage of either bytes or frames used by 


each of the low-level network protocols. The view also illustrates these numbers 
with bar graphs. 


ETHERTYP 
Ethertype Frames Total 


© 
3 


22. 
9. 
0. 
0. 

14. 
0 

14. 
4 
8. 
0. 
8. 
6. 


ZYSSBSsaSRssses 


1 5 6Disply QFreeze—l0 Stop] 
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Figure 16. The Ethertypes view. 


Note: There is no Ethertype for NetWare. NetWare frames are included in the 
category 802.3. 


The network protocols shown in Figure 16 are defined in the Ethernet Monitor's 
startup file C:\ENSNIFF\STARTUP.ENT. Any protocols that are not in this file 
are listed under the category “Other.” If you want breakdowns for Ethertypes 
other than those shown, you must add them in the startup file 
C:\ENSNIFF\STARTUP.ENT before a monitoring session. (Gee Appendix E, 
“Ethertype Values.”) 
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Step 1. 
Step 2. 
Step 3. 
Step 4. 


To display the Ethertype distribution: 

Move to Display in the main menu. 

Move to Ethertypes and press the Spacebar. 

Move to the Bytes or Frames option and press the Spacebar. 


Press F3 (Display). 


Displaying the Alarm Log 


Step 1. 
Step 2. 
Step 3. 


This view displays the alarm log, which shows the alarms in the Ethernet 
Monitor’s alarm buffer. When the alarm log is displayed and an alarm is 
highlighted, you can acknowledge that alarm by pressing F3 (Ack alarm), which 
puts a ¥ mark in the right column. You can also clear the alarm by pressing F4 
(Clear alarm), which deletes it from the alarm buffer. (For a complete discussion of 
alarms and the alarm buffer, see Chapter 5, “Working with Alarms.”) 


To display the alarm log: 
Move to Display in the main menu. 
Move to Alarm log and press the Spacebar. 


Press F3 (Display) or press Enter. 


ALARM LOG 
Priorit 
Warning 


Source 
Helene Hilici 


Apr 02 12:26:42 5 or more frame errors 


arning :2/:40 File Server or more trame errors 
3 Critical 12:28:09 Mark Ellison Rel usage exceeded 25% 
4 Warning 12:29:29 Print Server 5 or more frame errors 
5 Warning 12:31:08 Ed Hicks 5 or more frame errors 
6 Major 12:34:31 Ken Quinn Idle 41 minute 
7 Warning 12:36:07 George Stanley 5 or more frame errors 
8 Warning 12:39:56 Miles Russell 5 or more frame errors 
9 Warning 12:40:18 Fred Biddle 5 or more frame errors 
10 Critical 12:40:26 Michael Harley Rel usage exceeded 25% 
11 Warning 12:47:43 William Griffith 5 or more frame errors 


10 Stop 
moni tor) 


3 Ack §4Clear fib 6Disply 
Help alarm § alarm § Menus ffoptions| 


Figure 17. The Alarm Log view. 
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Displaying Global History Statistics 


This view displays history statistics for the network as a whole. Because history 
statistics include the time network events occurred, they are particularly useful for 
troubleshooting and network maintenance tasks, such as determining periods of 
low activity for scheduling downtime. 


Note: History statistics are erased when you start a new monitoring session or if 
you change the history interval during a monitoring session. You can generate a 
report to save history statistics, as described in Chapter 6, “Creating Reports.” 


The numeric view shows the following information for each interval: the interval 
number, the timestamp, the number of frames, errors, and bytes, the average size 
of the frames, and the percentage of absolute network usage. By pressing function 
keys F3 (View Earlier), F4 (View Later) or the up or down Arrow keys, you can see 
statistics recorded at earlier or later intervals. 


Frames Errs 


50 2 ' ‘ 

49 11 2 163, 223 R 

48 iB j 5 167,604 140 0.89 
47 11:11:16 177 0 25,157 142 0.13 
46 11:11:01 1, 496 4 210,407 140 1.12 
45 11:10:46 917 0 135,629 147 0.72 
44 11:10:31 1,017 4 148,936 146 0.79 
43 11:10:16 159 0 30,888 194 0.16 
42 11:10:01 521 0 84,656 162 0.45 
41 11:09:46 1,017 3 156,566 153 0.83 
40 11:09:34 1, 762 0 280,537 159 1.49 
39 11:09:16 504 3 68,163 135 0.36 
38 11:09:01 86 0 10,406 121 0.05 
37 11:08: 46 574 0 92,687 161 0.49 
36 11:08:31 1, 363 0 205,721 150 1.09 
35 11:08:16 1, 498 0 214,320 143 1.14 
34 11:08:01 482 0 76,889 159 0.41 
33 11:07:46 1,155 6 175,989 152 0.93 


3 Viewed Views 6Disply 10 Stop 
earlier laterj Menus options monitor) 


Figure 18. Numeric Global History Statistics view at 15-second intervals. 


The graphic view shows the interval number, the timestamp, and the percentage of 
usage, as well as a graphic representation of the percentage of absolute network 
usage per interval. 
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il 3 Viewed View— 6Disply 10 Stop 
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Figure 19. Graphic Global History Statistics view at 15-second intervals. 


To display global history statistics: 

Move to Display in the main menu. 

Move to Global history and press the Spacebar. 

Move to the Numeric or Graphic option and press the Spacebar. 
Press F3 (Display) to display the history statistics. 


The graphic view provides an overview of the percentage usage per interval. To 
control the level of detail shown, press F7 (Scale up), F8 (Scale down), or the up or 
down Arrow keys. For the greatest level of detail, scale up as far as possible. 


You can view intervals recorded earlier or later by pressing F3 (View earlier), F4 
(View later), the up or down Arrow keys, or the Home or End keys. 


Displaying Station History Statistics 


The Ethernet Monitor collects history statistics for the station specified with the 
History item in the main menu before you started monitoring. When you first 
start up the Ethernet Monitor, the default address for which history statistics are 
collected is Broadcast. 


Although the numeric and graphic Station History views include the same 
information as the Global History views, you can customize the Station History 
views further to show whether the history statistics include transmissions, 
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receptions, or both, and whether the network usage shown is absolute (in relation 
to total network capacity) or relative (in relation to current network traffic). 


Note: You can collect station history statistics for only one station at a time. Also, 
history statistics are erased when you start a new monitoring session or if you 
change the history interval during a monitoring session. If you need to save them, 
generate a report. (See Chapter 6 “Creating Reports.”) 


Figure 20 shows the history for the station “Fred Biddle,” which shows 
transmissions and receptions compared to relative network usage. Figure 21 
illustrates relative network usage for that station graphically. 


RELATIVE HISTORY STATISTICS TO AND FROM Fred Biddle-———Kar 06 11:20: 4! 
Time Frames Errs Bytes Size *Usage 


Q Mar 06 11:29:44 49 0 13,963 284 6.19 
8 11:29:29 87 0 17,967 206 7.02 
7 11:20:14 54 0 18,676 345 9.59 
6 11:28:59 68 0 23,¢0, 343 11.61 
5 11:28:44 65 0 24,197 372 10.08 
4 11:28:29 66 0 25,691 389 9.40 
3 11:28:14 76 0 19,600 257 8.31 
2 11:27:59 60 0 28,267 471 11.76 
F 11:27:44 70 1 19,825 283 7.28 


3 View—d View—d 6Disply 10 Stop 
earlier’ laterf Menus #Moptions monitor 


Figure 20. Numeric Station History Statistics view. 
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RELATIVE HISTORY STATISTICS TO AND FROK Fred sn ar aaa = 11: on 31 
Time ‘Usage 0 4 12 


16 Mar 06 11:31:29 12.12 
15 11:31:14 8.51 
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Figure 21. Graphic Station History Statistics view. 


To display the station history: 
Step 1. Move to Display in the main menu. 
Step 2. Move to Station history and press the Spacebar. 
Step 3. Define how statistics are displayed. 
a. Press the down Arrow key to display the Class and Network usage options. 


b. Move to Class, and then to either To, From, or Both, depending on whether 
you want to display statistics for receptions, transmissions, or both. Press the 
Spacebar. 


c. Move to Network usage, and then to either Absolute or Relative, depending 
on whether you want to show statistics as a portion of the total network 
capacity or as a portion of the current total traffic. Press the Spacebar. 


d. Move to the Numeric or Graphic option and press the Spacebar. 


Step 4. Press F3 (Display) to display the history for a selected station. Statistics are 
collected until you press F10 (Stop monitor). 


You can view intervals recorded earlier or later by pressing F3 (View earlier), F4 
(View later), the up or down Arrow keys, or the Home or End keys. 
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Chapter 4. Managing the Ethernet Monitor Database 


The Ethernet Monitor database contains station addresses and alarm threshold 
settings. As the Ethernet Monitor monitors the network, it automatically builds 
this database by adding addresses as it detects them and assigning them the 
default station alarm settings. 


Note: You can also add stations manually by editing the file 
C:\ENSNIFF\STARTUP.END (which contains station addresses and names) with 
an ASCII text editor. This lets you add stations that are not yet active on the 
network. 


You can customize the settings associated with each station. This includes 
assigning a name to each station and changing the alarm thresholds for that 
station. You can also define new default alarm thresholds that are automatically 
applied to new stations as they are added to the database, and reset any thresholds 
you changed back to the default settings. In addition, you can delete stations from 
the database. 


This chapter describes how to edit this database, which includes the following 
topics: 

e identifying stations 

¢ assigning names 

* basic strategies for assigning alarm thresholds 

e assigning alarm thresholds for each station 

¢ changing the default alarm thresholds assigned to new stations 

* resetting alarm thresholds to the default settings 

e deleting stations 

* returning to an earlier version of the database 
Note: Changing alarm thresholds during a monitoring session can lead to 
unexpected results. For example, if you change a threshold that has already 
triggered an alarm, no new alarm is triggered when the new threshold is reached. 


Therefore, it is best to make any changes before you start monitoring. You can also 
stop monitoring, make changes, and restart monitoring. 


By choosing Manage stations from the main menu and Edit from the submenu, 
you can view and edit the database via the Manage Station Information view 
(Figure 22). Any changes you make are automatically saved when you exit this 
view. The first time you make changes, the Ethernet Monitor also creates backup 
copies of the database files, so that you can return to the previous version of the 
database at any time. 
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MANAGE STATION INFORMATION 


Address Name Errors No Rsp__Idle_ %Usage__ Priorit 
Intr1n000652 Alex Zwick 5 5 Off 2 Warning 
ntr1n020303 Anthony Serrao 0 Warning 


DEC 023400 Barbara Lemmon Off Warning 


WstDig013106 
3Com 007256 
Intr1n025290 
Intr1n022001 
Intr1n022100 
3Com 014302 
WstDig003504 
Intr1n020005 
WstDig000062 
Intr1n027506 
3Com 013249 
3Com 012301 
3Com 010654 
DEC 000012 
3Com 024523 
Intr 1n023096 
WstDig018347 


Barney Ingram 
Bill Goodman 
David Brooks 
Denise Martin 
Ed Hicks 
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Figure 22. The Manage Station Information view. 


Identifying Stations 


The Ethernet Monitor works by monitoring the hexadecimal 12-character strings 
that form each station’s address. You should assign names to these addresses for 
several reasons: 


¢ Names are easier to identify in a view than addresses. 
¢ You cannot save changes to station alarm thresholds for unnamed stations. 


¢ Unnamed stations are deleted from the database if you unload the 
ENMONDRYV program. 


¢ Unnamed stations trigger unknown station alarms. This makes the alarm 
useless in alerting you to intruders or network problems. 


Before you can name stations, you must determine which address belongs to 
which station. To do this, make a list of each station and its corresponding 
address. You can run the USERLIST report to help you list all the active stations 
on the network. 


Note: If you are using a Novell network, running NetWare's USERLIST utility 


program gives you the names as well as the addresses. To display this 
information, type 


USERLIST /A 
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Step 1. 


Step 2. 
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at the DOS prompt. 

To direct this information to disk, type 

USERLIST /A > USERLIST.TXT. 

To run the USERLIST report: 

Monitor activity a sufficient length of time to register all stations on the network. 
Load the report script USERLIST.SCR and print the report. 

This report contains a list of all addresses detected by the Ethernet Monitor. Write 
down each station’s name next to the address and then use this list to add station 


names to the database, as described in the next section. For detailed instructions 
on generating reports, see Chapter 6, “Creating Reports.” 


Editing Station Information 


Editing station information involves assigning names and alarm thresholds. After 
you assign station names, these names identify the stations in the Ethernet Monitor 
views. 


Naming Stations Automatically 


Step 1. 


Step 2. 


Step 3. 


If you installed a second card that runs NetBIOS software and if the stations you 
want to name are active and also running NetBIOS, you may be able to name them 
automatically. This feature can save you considerable time. 


To name stations automatically with NetBIOS: 

Move to Manage stations in the main menu. 

Move to Probe for names in the submenu and press Enter. 

The NetBIOS software transmits a query to each unnamed address in the station 
list. If it receives a response, the Ethernet Monitor assigns the station a name. To 


interrupt this process, press Esc. 


Follow the procedure in the next section to name any stations that could not be 
named automatically. 


Note: If you are using LattisNet Network Management software, you can also use 
that program’s files to name your stations. 


Naming Stations Manually 


Station names can be up to 16 characters long, using any printable characters. 
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To name a station: 
Step 1. Move to Manage Stations in the main menu. 


Move to Edit in the submenu and press Enter to display the Manage Station 
Information view. 


Step 2. 


Step 3. Move to the station you want to name and press Enter. 


A dialog box appears with a list of the fields you can edit. 


MANAGE STATION INFORMATION 
Address Name 
Intr1n000652 Alex Zwick 
Intr1n020303 Anthony Serrao 5 Off Warning 
DEC 023400 Barbara Lemmon y OFF Warning 
WstDig013106 Barney Ingram 5 OFF Warning 
3Com 007256 Bill Goodman 5 

ntrin avid Brooks 
Intr1n022001 DSTATION 3Com 007 


Intr 1n022100 Name = Bill Goodman 
rrors = ¢ 


3Com 014302 
No response = 5 


4 
Idle = Off ¢ 
Relative usage = 25 % @ 
Priority = Warning ¢ 


Errors NoRsp Idle Usage Priority 
5 5 Off Warning 


E 

F 
WstDig003504 F 
Intr1n020005 G 
H 

J 


WstDig000062 
Intr1n027506 
3Com 013249 J 


Step 4. 


Step 5. 


3Com 012301 
3Com 010654 
DEC 000012 
3Com 024523 


Use t and | then press 
Jill Franz 5 

Ken Quinn 

Linus Stanwick 

Mark Ellison 


Intr1n023096 
WstDig018347 


Michael Harley 
Miles Russell 


Use t and | then press 
6 


Figure 23. Assigning station names. 


Move to the Name field, press Enter, type the station name in the dialog box that 
appears, and press Enter again. Press F6 (Return) to return to the Manage Station 
Information view. 


To name other stations, repeat steps 3 and 4. 


The new settings are saved automatically when you exit the Manage Station 
Information view. You can return to the current default thresholds at any time. 
Since the Ethernet Monitor creates a backup copy of the database the first time you 
make changes during a monitoring session, you can always return to the settings 
of the previous monitoring session. 
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Setting Alarm Thresholds 


The Ethernet Monitor triggers alarms when traffic counts for individual stations or 
for the entire network exceed certain thresholds. In addition to changing these 
thresholds, you can change the default alarm thresholds assigned to new stations 
detected on the network. 


Station Alarm Threshold Options 


For each station, you can determine the thresholds at which the following events 
generate an alarm. 


Errors—defines the number of bad frames (1 to 65535) a station can transmit before 
triggering an alarm. 


No response—defines how long (1 to 7 seconds) a station can receive frames 
without responding before triggering an alarm. To turn the alarm off, choose 0. 


Idle—defines the length of time (1 to 120 minutes) a station can be inactive (not 
transmitting) before triggering an alarm. To turn the alarm off, choose 0. 


Usage—defines the percentage of relative network traffic (1 to 100%) the station 
can transmit before triggering an alarm. (See “Display Options: An Overview” in 
Chapter 3 for an explanation of “relative.”) 


In addition to setting up alarm thresholds, you can determine the importance of 
the alarms for each station, including Inform, Warning, Minor, Major, and 
Critical. 


Note: To see which alarms were generated in a monitoring session, display the 
Alarm Log view (See Chapter 3 “Displaying Statistics.”) 


Global Alarm Threshold Options 


In addition to setting alarm thresholds for individual stations, you can set 
thresholds for the entire network. Alarms are generated when global counts 
exceed these thresholds. This feature is very helpful in measuring network 
performance. 


Note: In addition to the thresholds you define, the Ethernet Monitor automatically 
generates an alarm whenever it detects a frame larger than 1514 bytes or a frame 
that uses the Broadcast address as its source address. 


For some global alarms (Errors, Usage, and Broadcast), you can determine the 
interval to which the threshold applies. For example, if you set the Errors 
threshold at 10 and the interval at 60 seconds, the Ethernet Monitor triggers an 
alarm if it detects more than 10 errors within any consecutive 60-second period. 
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You can determine global alarm thresholds for the following network events: 


Unknown station—determines whether or not the Ethernet Monitor generates an 
alarm when it detects a source address not in the name table. A V mark means that 
an unknown station generates an alarm; an x means that it does not. 


Errors—defines the number (1 to 65535) of bad frames that trigger an alarm. To 
turn the alarm off, choose 0. You can set the interval to which this threshold 
applies (5 seconds to 60 minutes). 


Usage—defines the percentage (1 to 100%) of absolute network usage that triggers 
an alarm. You can set the interval to which this threshold applies (5 seconds to 60 
minutes). 


Broadcast—defines the number of broadcast frames (1 to 65535) that triggers an 
alarm. To turn the alarm off, choose 0. You can set the interval to which this 
threshold applies (5 seconds to 60 minutes). 


Idle—defines the length of time (1 to 120 minutes) the network can be inactive 
before generating an alarm. To turn the alarm off, choose 0. 


Basic Strategies for Setting Alarm Thresholds 


This section provides some basic strategies to get you started in setting thresholds. 
However, finding the thresholds that best suit your particular network and 
preferences requires adjustments as you go along and as your network grows. 


The Alarm Log view can help you determine what thresholds to set. By setting the 
Auto clear option to various intervals, you can see how often alarms occur at those 
intervals and use this information to fine tune your thresholds. 


Setting Global Alarm Thresholds 


To get started, use the History option in the main menu to select the Broadcast 
address and to set the Interval option to 15 minutes. Then monitor traffic over a 
period of time, such as an 8-hour business day. This gives you an overview of 
your network’s traffic patterns. 


Note: .Be sure to have first set History Length in the Configuration Options menu. 
History Length determines the number of intervals to be collected. In the above 
example, setting a History Length of 32 will collect a sufficient number of intervals 
to cover an 8-hour business day. Remember that once the 8 hours of intervals has 
been collected, the collection process continues (unless you stop it), overwriting 
Statistics that have already been collected. 


¢ To determine the usage threshold and error thresholds, display the Global 
History view and note the highest numbers per interval for usage and errors. 
Then set each threshold for these categories to about 50% higher than the 
highest recorded number. 
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¢ To determine the Broadcast threshold, display the Station History view and 
note the highest number of frames sent to the Broadcast station. Then set the 
threshold to about 50% higher. 


¢ To determine the Idle threshold, take into consideration the way your network 
software operates. For example, many software packages, such as Novell, 
automatically transmit traffic every five minutes. If you know this is the case, 
setting your Idle threshold to six minutes alerts you to any problems within a 
minute. 


¢ Toavoid triggering the unknown station alarm for legitimate stations, be sure 
to name all stations. This alarm then alerts you to any intruders. Since faulty 
bridges or bad cards usually generate numerous unknown station alarms, this 
is also a good way to detect problems with bridges and cards. 


Be prepared to adjust the thresholds to higher values if you get too many alarms. 
If the alarms that are generated do not alert you to potential problems quickly 
enough, adjust the thresholds to lower values. 


Setting Station Alarm Thresholds 


When setting alarm thresholds for individual stations, pay particular attention to 
devices that handle a lot of traffic, such as file servers and communications 
gateways. Since these devices are so important to the entire network, it is 
important to fine tune their thresholds so that you are alerted to potential problems 
quickly, without generating unnecessary alarms. 


* To determine a starting point for the Errors threshold, divide the global errors 
threshold by the number of stations. Use the resulting number as the Errors 
threshold for individual stations. 


e For devices like file servers, set the Idle threshold as low as 1 minute to alert 
you quickly to potential problems. Since other stations are likely to be turned 
on and off periodically, set the Idle threshold to “Off.” 


¢ To identify any stations that use large portions of the network’s resources, start 
by setting a low Usage threshold for individual stations. Use this information 
to redistribute heavy users between servers to prevent degradation of service 
to other users. 


As with the global alarm thresholds, be prepared to make adjustments. 


Changing the Global and Station Alarm Thresholds 


Before changing alarm thresholds, we suggest you read the previous section for 
some guidelines on determining the appropriate thresholds for your network. 


Note: The procedures that follow show how to change the thresholds with the 
Manage stations item from the main menu. However, you can also change them 
with the Alarm menu item from the main menu. 


To change the global alarm thresholds: 


Step 1. Move to Manage stations in the main menu. 
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Step 2. Move to Edit and press Enter. 


Step 3. Press F7 (Thres options) to display the Alarm Threshold dialog box and move to 
Global. 


MANAGE STATION INFORMATION 
Address Errors No Rsp Idle Usage Priority 
JY Unknown station 


Errors = 20 
Interval = 00:30 


Thresho ld 
Options ae Usage = 25 % 
tation defaults Interval = 00:05 


Broadcast = 100 
Interval = 00:05 


Idle = 15 


Specify alarm thresholds for the network as a whole. 


“Use the Arrow keys to eis one in the pu=—== 


Intr1n023096 Michael Harley Off 25 Warning 
WstDig018347 Miles Russell 5 5 OFF 2) Warning 
See i ee 


Use t ge + then press ENTER——— 
= 


Figure 24. Changing the global alarm thresholds. 


Step 4. Move to the field you want to change and press Enter to display a dialog box ora 
list of values. Type a value or move to a value to select it, and press Enter again. 
Press F6 (Return) to return to the Manage Station Information view. 
The new settings are saved automatically when you exit the Manage Station 
Information view. Since the Ethernet Monitor creates a backup copy of the 
database the first time you make changes during a monitoring session, you can 
always return to the settings of the previous monitoring session, as explained later 
in this chapter. 
To change the station alarm thresholds: 

Step 1. Move to Manage stations in the main menu. 

Step 2. Move to Edit and press Enter. 

Step 3. Move to the station whose settings you want to change and press Enter. 


A dialog box appears with a list of fields you can edit. 


Step 4. Move to the desired field and press Enter to display an additional dialog box. 
Select or enter a value and press Enter again. 
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MANAGE STATION INFORMATION: 


Address 
Intr1n000652 
Intr1n020303 
DEC 023400 
WstDig013106 
3Com 007256 
Intr1n025290 
TDLE: 


3Com 012301 
3Com 010654 
DEC 000012 
3Com 024523 
Intr1n023096 
WstDig018347 


Name 

Alex Zwick 
Anthony Serrao 
Barbara Lemmon 
Barney Ingram 
Bill Goodman 
David Brooks 


Jill Franz 

Ken Quinn 
Linus Stanwick 
Mark Ellison 
Michael Harley 
Miles Russel] 


Errors No Rsp  Imdle 
5 Off 


Off 


Off 
Off 
Off 
Off 
Off 


4Usage 


Priority 
Warning 
Warning 
Warning 
Warning 
Warning 
Warning 


ning 
Warning 
Warning 
Warning 
Warning 
Warning 


Use t and 4 then press ENTER 


Figure 25. Changing the station alarm thresholds. 


Step 5. Press Esc to return to the Manage Station Information view. 


Step 6. Repeat steps 3, 4, and 5 for all the stations and fields you want to edit. 


The new settings are saved automatically when you exit the Manage Station 
Information view. You can return to the current default settings at any time. Since 
The Ethernet Monitor creates a backup copy of the database the first time you 
make changes during a monitoring session, you can always return to the settings 
of the previous monitoring session, as explained later in this chapter. 


Changing the Default Station Alarm Thresholds 
When the Ethernet Monitor detects new stations on the network, it assigns them 
the default alarm thresholds as it adds them to the database. If you change these 
default settings, any stations added to the network are assigned new defaults. 


Note: You can also change the default alarm thresholds with the Alarm menu item 
from the main menu. 


To change the station default alarm thresholds: 


Step 1. Move to Manage Stations in the main menu. 


Step 2. Move to Edit and press Enter. 
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Step 3. Press F7 (Thres options) to display the Threshold Options dialog box and move to 
Station defaults. 


MANAGE STATION INFORMATION — 
Address Name Errors NoRsp Idle Usage Priority 


Threshold Global 

Options Station defaults Errors = 5 ¢ 
No response=5 
Idle = Off ¢ 
Usage = 25 % ¢ 
Priority = Warningd 


Specify the default alarm thresholds for individual stations. 


Use the Arrow keys to move around in the exu————==== 

Intr1n023096 Michael Harley Off 25> Warning 

WstDig018347 Miles Russell Off 25 Warning 
ee en 


5 5 
5 5 
Use t and J Se ENTER 
5 
Menus 


Figure 26. Changing the station default alarm thresholds. 


Step 4. Move to the field you want to change and press Enter to display a dialog box ora 
list of values. Type in a value or move to a value to select it, and press Enter again. 
Press F6 (Return) to return to the Manage Station Information view. 


The new default settings are saved automatically when you exit the Manage 
Station Information view. Since the Ethernet Monitor creates a backup copy of the 


database the first time you make changes during a monitoring session, you can 
always return to the settings of the previous monitoring session. 


Resetting Station Alarm Thresholds to Default Values 
If you changed the alarm thresholds for stations for a monitoring session, you can 
easily restore the previous default thresholds, either for a single station or for all 
stations. This is a quick way to change all station thresholds. 
Note: Stop monitoring before resetting alarm thresholds. 
To reset a single station: 


Step 1. Move to Manage stations in the main menu. 


Step 2. Move to Edit and press Enter. 
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Step 1. 


Step 2. 


Move to the station you want to reset and press F4 (Apply default). 

The Ethernet Monitor resets the alarm thresholds for that station to the defaults. 
To reset all stations: 

Move to Manage stations in the main menu. 

Move to Reset thresholds and press Enter. 


The Ethernet Monitor resets all station alarm thresholds to the defaults. 


Deleting Stations 


Step 1. 
Step 2. 


Step 3. 


You can delete stations from the database. This erases from the alarm buffer any 
alarms associated with the deleted station. Also, if a deleted station is later 
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detected on the network, the Ethernet Monitor triggers an unknown station alarm. 


Note: To avoid unpredictable results, verify that the monitor is off before deleting 


a station (F10 is labeled New monitor). 
To delete a station: 


Move to Manage stations in the main menu. 
Move to Edit and press Enter. 


Move to the station you want to delete and press F2 (Delete station). 


Returning to the Previous Database 


Step 1. 
Step 2. 


Step 3. 


Whenever you change the database in the Manage Stations Information view, the 
C:\ENSNIFF\STARTUP.ENA and C:\ENSNIFF\STARTUP.END files change as 
soon as you exit the view. The first time you make changes during a monitoring 
session, the Ethernet Monitor also creates backups of these files, so that you can 
always return to the database settings of the previous monitoring session. 

To return to the previous database: 

Move to Exit in the main menu and press Enter. 

Type COPY BACKUP.ENA STARTUP.ENA 

Type COPY BACKUP.END STARTUP.END 


All settings return to the values from the previous monitoring session. 
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Chapter 5. Working with Alarms 


This chapter provides an overview of how alarms work and describes how to use 
them. It includes instructions for the following tasks: 


e displaying the alarm log 

e acknowledging and clearing alarms 
e printing alarms 

e saving alarms to disk 

° setting audible indicator thresholds 


Figure 27 shows how the Ethernet Monitor processes alarms. 
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Figure 27. The Ethernet Monitor alarms: An overview. 


When network statistics exceed certain thresholds, the Ethernet Monitor triggers 
an alarm and sends it to the alarm buffer, as shown in Figure 27. 


The alarm buffer can hold up to 200 alarms. Although some alarms are deferred 
and then placed in the alarm buffer as soon as room becomes available, they may 
be lost when the condition that caused them is no longer present. Since alarms are 
printed or saved to disk only as they are sent to the alarm buffer, there is no record 
that the alarm occurred. For this reason, it is important to clear the alarm buffer 
before it reaches the 200-alarm limit. 


You can display the alarms in the buffer with the Alarm Log view, which also 
allows you to acknowledge and clear alarms. By using the Log to option, you can 
automatically print or save alarms as they are sent to the buffer. 
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Note: An alarm is triggered only the first time a statistic exceeds the threshold. 
Additional instances of this event are ignored until you clear the alarm from the 
alarm buffer. The unknown station alarm is the exception; even if it is cleared, it is 
triggered only once for each station during each monitoring session. 


Displaying the Alarm Log 


The Alarm Log view is the window to the alarm buffer. It lists alarms in the order 
they occurred and shows their priority, the time they occurred, the source of the 
alarm, and the type of alarm. 


Once the Alarm Log view is displayed, you can acknowledge alarms or clear them 
from the alarm buffer. 


To display the Alarm Log view: 
Step 1. Move to Display in the main menu. 
Step 2. Move to Alarm log and press the Spacebar. 
Step 3. Press F3 (Display) or press Enter to display the Alarm Log view. 


Warning Helene Milici 5 or moré frame errors 
Warning YE ile Server 

Critical 12:28:09 Mark Ellison Rel usage exceeded 25% 
Warning 12:29:29 Print Server 5 or more frame errors 
Warning 12:31:08 Ed Hicks 5 or more frame errors 
Major 12:34:31 Ken Quinn Idle 1 minute 

Warning 12:36:07 George Stanley 5 or more frame errors 
Warning 12:39:56 Miles Russell 5 or more frame errors 
Warning 12:40:18 Fred Biddle 5 or more frame errors 
Critical 12:40:26 Michael Harley Rel usage exceeded 25% 
Warning 12:47:43 William Griffith 5 or more frame errors 


rFPOOWDAIMNO BW 


Pe 


1 3 Ack §4Clear fb 6Disply 10 Stop 
Help alarm § alarm § Menus (options monitor] 


Figure 28. The Alarm Log view. 
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Acknowledging Alarms 


To keep track of which alarms have been investigated, you can identify 
(acknowledge) those alarms. Acknowledging alarms also turns off any audible 
indicators if it brings the alarm count below the threshold set for that indicator. 


You can use this feature to maintain a record of which alarms have been handled. 
This is particularly useful when more than a single person is attending to the 
network. 


To acknowledge an alarm: 
Step 1. Move to Display in the main menu. 
Step 2. Move to Alarm log and press the Spacebar. 
Step 3. Press F3 (Display) or press Enter to display the Alarm Log view. 
Step 4. Move to the alarm you want to acknowledge and press F3 (Ack alarm). 


A V mark appears in the right column to indicate that you have dealt with the 
alarm. 


Clearing Alarms 


Since the Ethernet Monitor’s alarm buffer has a limit of 200 alarms, new alarms are 
deferred and may be lost while the buffer is full. Therefore, you should 
periodically clear the alarm buffer, either by manually clearing alarms one at a 
time, or by automatically clearing each alarm after it is in the buffer for a specified 
period of time. You can clear alarms only when the Ethernet Monitor is running. 


In general, clear alarms manually as soon as you deal with them. Clearing alarms 
automatically is useful mainly if you leave the network unattended over long 
periods of time, to prevent the alarm buffer from reaching the 200-alarm limit. 
When using the Auto clear feature to clear alarms automatically, also enable the 
Log to option to automatically print or save to disk a record of alarms generated 
while the network is unattended. 


Note: Clearing an alarm also ensures that a new alarm is generated if counts for an 
event again exceed the alarm threshold. 
To automatically clear alarms: 
Step 1. Move to Alarm in the main menu. 
Step 2. Move to Auto clear = and press Enter. 
Step 3. In the dialog box, enter a value from 1 minute to 99 hours and press Enter. 
Alarms are cleared automatically from the buffer after the specified interval. Fora 


permanent record, print alarms or save them to disk, as described in the next 
section. 
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To manually clear individual alarms: 
Step 1. Move to Display in the main menu. 
Step 2. Move to Alarm log and press the Spacebar. 
Step 3. Press F3 (Display) or press Enter to display the alarm log. 


Step 4. Move to the alarm you want to clear and press F4 (Clear alarm). The alarm is 
cleared from the alarm buffer. 


Using the Ethernet Monitor Logging Function 


The Ethernet Monitor’s logging function automatically prints and (or) saves 
alarms as they are sent to the alarm buffer. This assures that there is a record of 
alarms, even after they are cleared from the buffer (and the Alarm Log view). 
However, the recommended procedure is to handle alarms as they happen. 


Printing Alarms 


You can automatically print each alarm on a designated printer. In general, it is 
not necessary to print alarms unless you run the Ethernet Monitor unsupervised 
for an extended period. Instead, save the alarms for each monitoring session to 
disk, and print them as necessary. 


When printing alarms, you can specify the number of lines printed before the 
Ethernet Monitor inserts a page break. 
To automatically print alarms: 

Step 1. Move to Alarm in the main menu. 


Step 2. Move to Log to and make sure a ¥ mark appears to the left of the Printer option. If 
necessary, press the Spacebar to display the ¥ mark. 
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Auto clear = Off Device COM1 
Thresholds Device COM2 


ace Device LPT1 
udible indicators Device LPT2 
Device LPT3 
Device LPT4 


Page size = 60 


Print alarms to a device. 


Press space to select (v) or not select (x); Alt-space inverts all= 


1 3 10 Stop 
Help Display moni tor 


Figure 29. Printing alarms automatically. 


Step 3. Move to the printer you wish and press the Spacebar. 


Step 4. To specify the number of lines per page, move to Page size = and press Enter. 
Type the number of lines to be printed before a page break. If that number is 
greater than the number of lines that fit on a page, the printing overlaps the page 
breaks, which leads to untidy hard copy. 


Saving Alarms to Disk 


In addition to—or instead of—printing alarms as they occur, you can automatically 
save them to the file C:\ ENSNIFF\ALARM.LOG. You can either append the 
alarms to those saved during previous sessions or overwrite existing alarms with 
the current ones. This gives you the option of saving alarms generated over 
several monitoring sessions in a single file. 


In general, the recommended procedure is to save only the alarms from the current 
session and to deal with alarms as they happen. The append option is most useful 
if you need to collect historical information about alarms, not on a day-to-day 
basis. Otherwise, the ALARM.LOG file eventually becomes huge. 


To automatically save alarms: 
Step 1. Move to Alarm in the main menu. 


Step 2. Move to Log to and then to File. If necessary, press the Spacebar to make sure a | 
mark appears to the left of the File option. 
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Auto clear = Off @ 
Thresholds X Printer 


nae! Pal ile x Clear alarm log 
udible indicators 


Print alarms to a file. 


Press space to select (v) or not select (x); Alt-space inverts all 


1 3 10 Stop 
Help Display moni tor' 


Figure 30. Saving alarms to disk automatically. 


Step 3. Move to Clear alarm log. To append the current alarms to existing alarms from 
previous monitoring sessions, press the Spacebar to display the x to the left of the 
option. To overwrite previous alarms, press the Spacebar to display a V mark. 


The Ethernet Monitor saves the current alarms in a file called ALARM.LOG. 


Step 4. If you want to view this file, exit the Ethernet Monitor and display the 
ALARM.LOG file with an ASCII text editor. 


Note: The ALARM.LOG file is not updated while you are viewing it in DOS (or at 
any other time Ethernet Monitor is not running). 


Setting Audible Indicator Thresholds 


You can specify how many unacknowledged alarms (between 1 and 200) trigger 
each of three audible indicators: Low, Medium, and High. For example, you 
could trigger a low indicator at 20 alarms, a medium indicator at 100 alarms, and a 
high indicator at 150 alarms. 


One suggested use for the high indicator is to warn you that the alarm buffer is 
approaching its limit of 200. How close to 200 you set the threshold depends on 
how quickly alarms are generated and how quickly you can deal with them. 


Note: When the monitor is active, the Ethernet Monitor continues to generate 
alarms even if you exit the Ethernet Monitor. If the number of alarms crosses one 
of the audible indicator thresholds, the clicking is triggered. To turn off the 
clicking or to reset the thresholds, you have to restart the Ethernet Monitor. 


62 


Chapter 5. Working with Alarms 


To set the audible indicator thresholds: 
Step 1. Move to Alarm in the main menu. 
Step 2. Move to Audible indicators. 


Auto clear = Off ¢ 
Thresholds 


Log to 
Audible indicators @@Audible alarms 
Low = 1 


Medium = 25 
High = 50 


Disable the audible warning? 


Press space to select (v) or not select (x); Alt-space inverts all=—= 


il 3 10 Stop 
Help Display onitor 


Figure 31. Setting the audible indicator thresholds. 


Step 3. To disable the indicators, move to Audible alarms and press the Spacebar to 
display the x mark. 


Step 4. Move to either the Low =, Medium =, or High = options and press Enter. 


Step 5. Enter a number from 1 to 200 to specify the number of alarms that triggers the type 
of indicator you selected and press Enter. To turn the alarm off, choose 0. 


Step 6. Repeat steps 4 and 5 to set any other indicator thresholds. 
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Chapter 6. Creating Reports 


In addition to viewing network statistics, you can create customized reports that 
show these statistics in any combination, sorted and arranged according to your 
preferences. You can use these reports to document your network administration 
activities, to justify the need for hardware upgrades, to compare network 
performance over time, and so on. 


You generate reports from report scripts. A report script is a template that defines 
which statistics are included in the report and how these statistics are displayed on 
the screen or page. When you generate a report froma report script, the Ethernet 
Monitor supplies the statistics, inserts them into the report script, and then prints 
or saves the report. 


This chapter provides an overview of the sample report scripts shipped with the 
Ethernet Monitor and explains the following topics: 


¢ loading a report script 

* previewing a report 

¢ printing or saving a report to disk, in either normal or CSV (comma-separated 
values) file format 

¢ creating or editing a report script 

* generating reports from the DOS command line 


The Ethernet Monitor Sample Reports: An Overview 


To get you started, the Ethernet Monitor comes with a number of report scripts 
you can use or modify. These report scripts are named ERRORS, HISTORY, 
LISTENERS, TALKERS, USERLIST, USERS, and USERSCSV. 


Note: After reading the procedure in “Creating or Modifying a Report Script,” you 
may want to read this overview again for a better understanding of how to use the 
options in the Report Script Editor view to create these scripts. 


ERRORS 


The report generated from this script shows the 10 stations that transmitted the 
most frames with more than 5 errors. Statistics are sorted in descending order by 
number of errors. Two filters are used; one to limit the number of stations 
displayed to 10, the other to set a minimum error count of 5 errors. 


The report shows the following statistics: the time monitoring started, the time 
monitoring stopped, the duration of the monitoring session (elapsed time), and the 
total number of stations. Statistics shown for each station include the sort position, 
name, frames, errors, bytes, size, and percentage of relative usage per station. 
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HISTORY 


Top 10 Errors 


This report provides statistics for the 10 stations which have 
transmitted the most frames with errors. Stations must have 
transmitted at least 5 frames with errors to be included in this 
report. 


Monitoring Started: Mar 06 10:44:16 Total Stations: 25 
Monitoring Stopped: Mar 07 11:54:14 
Elapsed Time: 0 day(s) 01:10:02 


Bytes 


1 Barbara Lemmon 1, 429, 735 
2 Barney Ingram 1, 200, 668 
3 Bill Goodman 1, 969, 651 


Hit Esc to quit, any key to continue 


Figure 32. Report based on the ERRORS report script. 


The report generated from this script shows global history information for the 
number of intervals specified in the configuration procedure. This report displays 
history statistics in graphic format with a scale of 10%. 


Use this report to save history statistics before starting a new monitoring session, 
before changing the history interval, or before changing the station for which 
history statistics are collected. 
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History 
This report provides traffic history information. 


Time Usage 0 


50 Mar 06 11:51:44 0.83 
11:51:29 
11:51:14 
11:50:59 


OOO 
Or 
CO1W O 


11:50:44 
11:50:29 
11:50:14 
11:49:59 
11:49:44 
11:49:29 
11:49:14 
11:48:59 
11:48:44 
11:48:29 


S2SsssbeSes 


ocoSesseses9o 
SSRSSSHRBE 


Hit Esc to quit, any key to continue 


Figure 33. Report based on the HISTORY report script. 


LISTENERS 


The report generated from this script shows statistics for the 10 stations that 
received the most traffic during the most recent monitoring session. 


The report shows the following statistics: the time monitoring started, the time 
monitoring stopped, and the duration of the monitoring session (elapsed time). 
Stations are sorted in descending order by the number of bytes received and 
filtered by sort position to display only the first 10 stations. (Because of the screen 
size, only nine stations appear on the screen. Use the Down arrow to scroll to the 
tenth station.) Statistics shown for each station include the sort position, name, 
frames, errors, bytes, size, and percentage of relative usage per station. 
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Top 10 Listeners 


This report provides statistics for the 10 stations which have 
received the most traffic. The stations are sorted by bytes 
received. 


Monitoring Started: Mar 06 10:44:16 
Monitoring Stopped: Mar 06 11:54:18 
Elapsed Time: 0 day(s) 01:10:02 


Bytes Errors Size % Rel 


File Server 16, 492, 710 190 37.58 
Print Server 9, 619, 029 155 21.92 
James Wylie 1,211, 579 197 2.76 
Robert Hayes 1, 200, 435 197 2.73 
Ed Hicks 1,176, 867 188 2.68 
Mark Ellison 1,076, 895 183 2.45 
Denise Martin 966, 355 154 2.20 
Tom Brown 759, 422 121 1.73 
Bill Goodman 756, 095 123 1.72 


ODAMNOB WHE 


Hit Esc to quit, any key to continue 


Figure 34. Report based on the LISTENERS report script. 


TALKERS 


The report generated from this script shows statistics for the 10 stations that 
transmitted the most traffic during the most recent monitoring session. 


The report shows the following statistics: the time monitoring started, the time 
monitoring stopped, the duration of the monitoring session (elapsed time), and the 
total number of stations. Stations are sorted in descending order by the number of 
bytes transmitted and filtered by sort position to display only the first 10 stations. 
Statistics shown for each station include the sort position, name, frames, errors, 
bytes, size, and percentage of relative usage per station. 
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Top 10 Talkers 


This report provides statistics for the 10 stations which have 
transmitted the most traffic. The stations are sorted by bytes 
transmitted. 


Monitoring Started: Mar 07 14:49:07 Total Stations: 
Monitoring Stopped: Mar 07 17:00:14 
Elapsed Time: 0 day(s) 02:11:07 


Bytes Errors Size % Rel 


File Server 123 24. 46 
Print Server 120 15.98 
George Stanley 496 7.36 
Fred Biddle 457 6.66 
Ed Hicks 446 6.41 
Bill Goodman 205 2.91 
Jack Clayton 201 2.89 
Alex Zwick 194 2.79 
Tom Brown 170 2.36 


1 
2 
3 
4 
5 
6 
7 
8 
g 


Hit Esc to quit, any key to continue 


Figure 35. Report based on the TALKERS report script. 
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USERLIST 


0000C0000062 
0000C0003158 
0000C0003504 
000000010257 
000000013106 
000000018347 
020701000652 
020701020005 
020701020303 
020701022001 
020701022100 
020701023096 
020701025290 
020701027506 
02608C004318 


The report generated from this script lists the physical addresses and names of all 
stations, sorted by address. This report is useful for compiling the names for all 
addresses. You can use it to set up the Ethernet Monitor database. 


Station List 


This report lists the physical address and assigned name of each station. 
The stations are sorted by address. 


Helene Milici 
Steven Anderson 
Fred Biddle 

Wes Harding 
Barney Ingram 
Miles Russell 
Alex Zwick 
George Stanley 
Anthony Serrao 
Denise Martin 
Ed Hicks 
Michael Har ley 
David Brooks 
Jack Clayton 
William Griffith 


Hit Esc to quit, any key to continue 


Figure 36. Report based on the USERLIST report script. 


72 


Chapter 6. Creating Reports 


USERS 


The report generated from this script shows transmission and reception statistics 
for all stations, sorted in ascending order (alphabetically) by name. No filters are 
used to limit the number of stations. 


The report shows the following statistics: the time monitoring started, the time 
monitoring stopped, and the duration of the monitoring session (elapsed time). 
Statistics shown for each station include the sort position, name, frames, errors, 
bytes, size, and percentage of relative usage per station. 


All Users 


This report provides combined transmit and receive statistics for all 
stations. The stations are sorted by name. 


Monitoring Started: Mar 06 10:44:16 
Monitoring Stopped: Mar 06 11:56:39 
Elapsed Time: 0 day(s) 01:12:23 


Frames Bytes Size 


1 Alex Zwick 1,929,274 
2 Anthony Serrao 

3 Barbara Lemmon 

4 Barney Ingram 

5 Bill Goodman 

6 David Brooks 

7 Denise Martin 

8 Ed Hicks 

Q File Server 

0 Fred Biddle i 3, 840, 566 


ee a UEEE EEE EEE SaaS 


Hit Esc to quit, any key to continue 


Figure 37. Report based on the USERS report script. 


Sniffer Advanced Ethernet Network Monitor User Guide 


USERSCSV 


The report generated from this script shows the same information as the USERS 
report, but in a delimited format that allows you to import the information into 
spreadsheets, databases, or other applications that use the CSV format. 


"Name", "Frames", "Errs", "Bytes", "Size", "% Rel" 
"Alex Zwick * 
"Anthony Serrao 
"Barbara Lemmon 
"Barney Ingram 
"Bill Goodman 
"David Brooks 
"Denise Martin 
"Ed Hicks 

"File Server 
"Fred Biddle 
"George Stanley 
"Helene Milici 
"Jack Clayton 
"James Wylie 
"Jill Franz 
"Ken Quinn 
"Linus Stanwick 
"Mark Ellison 
"Michael Harley 
"Miles Russell 
"Print Server 
"Robert Hayes 


nD 


w 
OD BW 09 LIN WWI WI GIN 99 BS DO 9 109 WO 


BPPOCONOCOCOCOCVCONOOCCOCOOCCOCoO 
DDWDOODLDWDOWODWONDONIOLOMAHAODWER 
COPrNOCAOANA MOP WOOHBRODOMNO Or 


Hit Esc to quit, any key to continue 


Figure 38. Report based on the USERSCSV report script. 


Generating a Report 


To generate a report, you must first load the report script that specifies the 
Statistics you want to include. When you display, print, or save this report, the 
Ethernet Monitor automatically inserts the statistics from the current monitoring 
session. 


If none of the report scripts suits your needs or preferences, you can create a new 
report script or edit an existing script. You can then save that report script for 
future reports. 


Loading a Report Script 


In many cases, you want to use the same report script over and over. The statistics 
shown and the way the information is laid out remains constant, only the statistics 
change from session to session. 
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Note: Before you can load a report script, you must have saved and named it. 
When you use the Ethernet Monitor for the first time, the only report scripts you 
can load are the sample report scripts shipped with the product, which are 
described in the previous section. 
To load a report script: 

Step 1. Move to Reports in the main menu. 


Step 2. Move to Load and press Enter to display the list of available reports, including the 
Ethernet Monitor sample report scripts and any other reports that have been 
saved. 


Step 3. Move to the report you want to load and press Enter. 


Once you load a report script, you can either print or save the corresponding 
report or edit the report script to change what the report contains or how it 
appears. You can also preview the report before printing it or saving it to disk. 


Previewing a Report 
You can preview how a report will appear. 


To preview a report: 
Step 1. Make sure you have loaded the correct report script. 


Step 2. Move to Edit and press Enter to display the Report Script Editor view, which 
contains the script you loaded. 


Step 3. Press F9 (Screen test) to show how the report will appear. To redisplay the script, 
press any key. 


Printing a Report 


You can print the report on a printer you designate and specify the number of lines 
to be printed before the Ethernet Monitor inserts a page break and a report header. 
To print a report: 

Step 1. Make sure you have loaded the correct report script. 

Step 2. Move to Print, then to the desired printer, and then press the Spacebar. 
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Step 4. 


Step 5. 


Station test 

Monitor filters Screen 
History i Device COM1 
Display ¢ Device COM2 
Alarm Device LPT1 
i bDevice LPT2 
Manage stations Device LPT3 
Exit ¢ ae LPT4 

ile 


X Delimited format 
Page size=60 ¢ 


Print report to the screen, to a device, or to a file. 


== [se the arrow keys to move, or ENTER to do this function== 


il 10 New 
Help monitor 


Figure 39. Designating a printer for printing a report. 


To change the number of lines printed, move to Page size =, and press Enter. In 
the dialog box that appears, enter the desired number of lines, or turn off the 
option by entering 0. Press Enter again. 


If the number of lines you specify exceeds the length of the page, the Ethernet 
Monitor prints the number of lines you specified, overlapping the page break. 


Press Enter to print the report. 


Saving a Report to Disk 


You can save a report to preserve the statistics generated during a particular 
monitoring session in either normal file format or the CSV format. The CSV format 
eliminates embedded commas within fields and page breaks within the report. 


The CSV format allows you to import the file into other applications, such as 
spreadsheets and databases. Using the CSV format eliminates the need to write a 
macro to export your Ethernet Monitor report files. 


For example, you might want to show the comparative usage of your network 
servers in a pie chart. By creating a report that provides those statistics and then 
importing that report into Excel, you can use Excel's graphics capabilities to create 
a pie chart based on your report. 


Note: If the program into which you want to import requires additional 
formatting, such as commas between fields and quotation marks around text 
fields, make these changes in your report script. (See the USERSCSV report script 
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for an example). Refer to the documentation of the application into which you 
want to import for details about required filenames, field formats, and other 
considerations. 


To save a report to disk: 
Step 1. Make sure you have loaded the correct report script. 
Step 2. Move to Print, then to File, and press the Spacebar. 


To save the report in the normal file format, make sure that an x displays to the left 
of the Delimited format option. To save the report in CSV format, make sure that 
a V mark appears to the left of the option. If necessary, press the Spacebar. 


Moret== 
Device COM1 
Device COM2 
Device LPT1 
Device LPT2 
Device LPT3 
Device LPT4 


x Delimited format 
Page size = 60 


Print to file. 


—Press space to select this optio———= 


monitor 


Figure 40. Saving a report. 


Step 3. Move back to Print and press Enter to display the dialog box. Enter a file name and 
press Enter again. 


The Ethernet Monitor saves the report and automatically assigns it the extension 
RPT or CSV, depending on the file format you chose. 


Creating or Modifying a Report Script 


If existing report scripts do not meet your needs, you can create a new report script 
or modify an existing script. For example, to replace the “Bytes” column in the 
TALKERS report script with “Frames,” you would simply change the column 
header and the associated code. You can make any substitutions you wish in this 
way to create customized reports. 
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Step 1. 


Step 2. 


Step 3. 


You can create and modify report scripts with the Report Script Editor view. This 
includes the following tasks: 


¢ Clear the contents of an existing report script. 
e Enter text. 
* Define which statistics (fields) to include in the report. 


¢ Define which field to use to sort the report, in either ascending or descending 
order. For example, to show which stations are the heaviest users, you could 
sort in descending order by network usage. 


¢ Define one or two filters to further refine the report. For example, you can use 
Filter 1 to limit the statistics based on the sort position (such as the 10 stations 
with the most errors), and Filter 2 to set a threshold that eliminates statistics 
that do not pass the threshold (such as those stations that have fewer than 5 
errors). 


¢ Determine the report’s appearance by adding or deleting blank lines, or by 
adding special characters such as horizontal and vertical lines. 


¢ Preview the report. 


¢ Save and rename the report script for future use. 


Note: These features may at times interact in unexpected ways. Be particularly 
careful when using both filters with the AND option, or when filtering by sort 
position. For example, if you sort by errors in ascending order and then use one 
filter to limit the report to the first 10 stations in the sort order and the second filter 
to include only stations with more than 5 errors, the resulting report would 
probably show nothing. 


To debug a report script, test it first without filters, then with one filter, and then 
with the second filter. 


To create a report script: 

Move to Reports in the main menu. 

Move to Edit and press Enter. 

Unless you loaded a report script during the current monitoring session, a blank 
report script appears in the Report Script Editor view. If you previously loaded a 


script, that script appears. 


To clear an existing report script, press Fé (Edit options), move to Clear, and press 
Enter. Press F6 (Return) again to return to a blank report script. 


To edit a report script: 


Note: The procedure that follows shows just one way to edit a report script. Once 
a report script displays (step 2), you can vary the order in which you do various 
tasks or skip those tasks not relevant to your needs. This procedure provides an 
example of how you could duplicate the TALKERS report (Figure 35). 


78 


Chapter 6. Creating Reports 


Step 1. Move to Reports in the main menu. 


Step 2. Move to Edit and press Enter to display the Report Script Editor view with the last 
report you loaded. 


Step 3. Press F6 (Edit options), move to Clear, and press Enter. Press Fé (Return) again to 
display a blank report script. 


-REPORT SCRIPT EDITOR—————————————Row:_ 1ol:_ 1- 


1 2Insert§3inserti4Delete—is 6 Edita? BRepeat™9Screen| 
Help § field line linefl Menus foptions™ Chars charg test 


Figure 41. Example of cleared report script. 


Step 4. To define which statistics to include, position the cursor where you want the first 
field to appear. Then press F2 (Insert field) to display the list of available fields. 
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-REPORT SCRIPT EDITOR 


Global Errors Station From To Both 


Total Sort Pos Partner Partner Partner 

sage CRC Address % Usage % Usage % Usage 
Frames Align Name Frames Frames Frames 
Bytes Unsaved Text Errors. Errors Errors 
Avg Size Missed Bytes Bytes Bytes 
First Overflow Avg Size Avg Size Avg Size 
Last First First First 
Elapsed Last Last Last 
History Elapsed Elapsed Elapsed 
Start History History History 
End 
Active 


Figure 42. Selecting fields to include in a report. 

a. Move to the first field you want to display and press Enter. (For the TALKERS 
report, you would select Sort Pos(ition) under the heading Station.) 
A code appears on the screen. When the Ethernet Monitor compiles the report, 
it automatically substitutes a value for that code. 


b. Position the cursor for the next field, with at least one space after the previous 
field. Also, be sure that the end of the field does not exceed the end of the line. 


c. Press F2 again, select the second field you want to display and press Enter. 
(For the TALKERS report, you would select Name under the heading Station). 


d. Repeat steps b and c until you have defined all the fields to be included. 


Figure 43 shows the codes for the fields of the TALKERS report (Figure 35), as 
they would appear after you select them. Note that the first letter of each code 
identifies the type of field that the code represents, as listed in the column headers 
in Figure 42, such as Global, Station, From, and so on. 
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-REPORT SCRIPT EDITOR —______—___| 


@GMON START. @ 
@GMON END...@ 
@GMON ACTIVE. ..@ 


@SS@  @SNAME......... @ CPB Bica ecu @ @FER@ GFFRAME..... @ @GFURE@ 


4Delete—is 6 Editi7 8Repeat#9Screen 
Help § field line line™l Menus fMoptions§ Chars charg test 
Figure 43. Codes that represent report fields. 


Step 5. To enter text, use the Arrow keys to move the cursor to the desired place and start 
typing. For example, you might want to enter explanatory text or headers for the 
fields you selected in step 4. The upper right corner identifies the cursor position 
by row and column to help you place the cursor precisely. 


Note : If you try to enter the @ symbol in your report, the Ethernet Monitor 
displays @@ to differentiate your input from the keyboard from the @ symbols 
used as delimiters in the field codes. When you print, the report prints correctly 
with a single symbol. 
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-REPORT SCRIPT EDITOR—-————————————————Row:_ 15 Col: 
Top 10 Talkers 


This report provides statistics for the 10 stations which have 
transmitted the most traffic. The stations are sorted by bytes 
transmitted. 


Monitoring Started: GMON START. @ Total Stations: GS@ 
Monitoring Stopped: @GMON END...@ 
Elapsed Time: @GMON ACTIVE. ..@ 


Name Bytes Errors Size % Abs 


@SS@  @SNAME @ @FER@ @FA@ @FURE@ 


Figure 44. Adding text toa report. 


Step 6. To sort the report, press Fé (Edit options), move to Report settings, and then to 
Sort by to display the sort options. 
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-REPORT SCRIPT EDITOR 
foret=—== 


| Ascending 
Descending 


Name 
Partner's name 


| J Filter 1 
AND 


Average size 
OR First activity 
J Filter 2 Last activity 
Elapsed activity 
Kore! 
Should the stations be sorted by total frames? 


Figure 45. Sorting a report. 


a. Move to and select the To, From, or Both option by pressing the Spacebar. 
(For the TALKERS report, select the From option to display transmissions.) 


b. Move to and select either Ascending or Descending to select the sort order. 
(For the TALKERS report, select the Descending option.) 


c. Move into the list of fields and press the Spacebar to select the field by which 
you want to sort. (For the TALKERS report, select Frames.) 


Step 7. Touse the filters, move to Filter 1. If necessary, press the Spacebar to display the | 
mark. If you want to use a second filter, decide whether you want the statistics to 
pass either filter or both filters, and select the appropriate option (OR or AND). 
Then move to Filter 2 and make sure it is selected (V mark). 


If you select two filters with the AND option, both filters must be passed to display 
the statistic. If you select the OR option, the statistic is displayed if it passes either 
filter. 


a. In the list, move to the item you want to use as a filter and press the Spacebar. 
Press Enter to display the dialog box that shows the range of minimum and 
maximum values. Press Enter again to display the dialog boxes for entering 
new minimum and maximum values. (For the TALKERS report, you would 
select the Sort Position as Filter 1 and specify a minimum value of 1 and a 
maximum value of 10 to get the top 10 users.) 


Note: After changing a filter value, immediately press the left Arrow key to 
return to the Filter 1 option. This ensures that you do not accidentally change 
the new value by viewing other filter values. 
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Step 8. 


Step 9. 
Step 10. 


Step 11. 


-REPORT SCRIPT EDITOR 


Sort position 

Name 

Partner's name 

Frames 

Errors 

Bytes 

Average size 

First activity 

Last activity 
Hore! 


PAAAAAAAA 


Use this filter? 


Press space to select (v) or not select (x); Alt-space inverts all=—= 


il 5 6 
Help Menus fi Return 


Figure 46. Using filters to limit stations included in the report. 


b. Press F6 (Return) to return to the Edit view. 
c. Ifyou selected two filters, repeat steps a and b for the second filter. 


To refine the report’s appearance, you can add or delete blank lines to make the 
report more attractive. You can also add special characters like up or down or 
right or left ruling lines. 


a. Toadd or delete lines, use the F3 (Insert line) or F4 (Delete line) keys. 


b. To add headers, use the Arrow keys to position the cursor above the fields you 
want to describe. Then start typing. 


c. To add special characters, press F7 (Chars) to display a list of available 
characters. Move to the desired character and press Enter. To repeat the 
character, use the Arrow keys to position the cursor on the character and press 
F8 (Repeat chars) to make a continuous line or other special display. (For the 
TALKERS report, you would use special character to make up or down lines, 
right or left lines, and corners.) 


To see how the report will appear, press F9 (Screen test). 
Press Esc to return to the script. You can now make any additional changes to fine 
tune the report script. 


To print or save the report, press F6 (Edit options), move to Print, and then either 
designate a printer or choose File. (See “Printing a Report” and “Saving a Report” 
earlier in this chapter for a description of the associated options.) 
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Saving a Report Script 


Step 1. 


Step 2. 


When you finish editing a report script, you can save that script for future use. The 
original script you used as a basis is not changed; instead, you save the edited 
version under a new name. 

To save a report script: 


With the report script displayed, press Fé (Report Options), move to Save, and 
press Enter. 


In the dialog box that appears, type the report script name and press Enter. 


The Ethernet Monitor saves the report script and assigns it the extension SCR. The 
next time you load report scripts, this script appears as one of the options. 


oe 
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Reference: Introduction 


Introduction 


This section consists of three parts. 


e The Ethernet Monitor Files—briefly describes each of the Ethernet Monitor 
program and data files. 


e The Configuration Program—describes the options associated with the 
configuration program. 

¢ The Menu Options—describes each of the menu items in the Ethernet 
Monitor’s main menu, along with any associated options. For those options 
that display additional information, there is also an explanation of each item in 
the view. 


Note: For an overview of how to use the Ethernet Monitor, see Chapter 1 “Getting 
Started.” 


Reference: The Ethernet Monitor Files 


The Ethernet Monitor Files 


Read: 


This section lists the Ethernet Monitor files and summarizes when these files are 
read and written. 


The Ethernet Monitor program consists of three program files and several data files. 
All files reside in the ENSNIFF subdirectory with the exception of reports which 
reside in the CAPTURE\REPORTS subdirectory. The program files include 
ENMONDRV.EXE, ENMONCFG.EXE, and ENMON.EXE. 


ENMONDRV.EXE runs in the background, controlling the network interface card 
and collecting data. It is loaded into RAM as a terminate and stay-resident (TSR) 
program. The amount of RAM used depends on the number of stations monitored 
and the number of history intervals collected. 


ENMONCHG.EXE is the configuration program that lets you change the network 
interface card settings and the monitoring parameters. 


ENMON.EXE is the foreground application that includes the user interface that 
lets you control most Ethernet Monitor functions. 


The data files contain the information the Ethernet Monitor needs. They include: 


e ENMON.CFG 

e STARTUP.ENB 

e STARTUP.ENI 

e STARTUP.ENT 

e CAPTURE\REPORTS\*.SCR 
e STARTUP.ENA 

e STARTUP.END 

e ENMON.HLP 


Note: In addition to the data files shipped with the Ethernet Monitor, the Ethernet 
Monitor creates duplicates of the STARTUP.ENA and STARTUP.END files 
whenever you change these files for the first time in the monitoring session. These 
are called BACKUP.ENA and BACKUP.END, respectively. Asa result, you can 
always return to the previous version of the database. 


ENMON.CFG—binary file that contains the configuration settings. 


When you run the configuration program. If this file is not found, the Ethernet 
Monitor uses the defaults. 


When you load the ENMONDRV program. If this file is not found, the Ethernet 
Monitor displays an error message. 
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Written: 


Read: 


Written: 


Read: 
Written: 


Read: 
Written: 


Read: 
Written: 


Read: 
Written: 


When you run the Ethernet Monitor. If this file is not found, the Ethernet Monitor 
displays an error message. 


When you terminate the configuration process. 
When you load the ENMONDRV program. 


STARTUP.ENB—binary file that contains the default settings for the user interface 
options, such as the video device option, which menu items are selected, and so on. 


When you start the Ethernet Monitor. If this file is not found, the Ethernet 
Monitor uses the defaults. 

When you exit the Ethernet Monitor. Any user interface option changes are 
saved. 


STARTUP.ENI—ASCII file that contains the IEEE vendor identification values, 
which make up the first six characters of a station’s address. You can edit this file 
with an ASCII text editor. 


When you start the Ethernet Monitor. 
When you save changes made with a text editor. (The Ethernet Monitor does not 
write this file.) 


STARTUP.ENT—ASCII file that contains Ethertype information and definitions. 
You can edit this file with an ASCII text editor. 


When you start the Ethernet Monitor. 
When you save changes made with a text editor. (The Ethernet Monitor does not 
write this file.) 


\CAPTURE \REPORTS \*.SCR—contains the report scripts in the CAPTURE 
subdirectory. 


When you choose Report/Load. 
When you choose Report/Save. 
STARTUP.ENA—ASCII file that contains station addresses and alarm thresholds. 
This file is not shipped with the Ethernet Monitor; instead, it is created during the 


first monitoring session, when the Ethernet Monitor adds stations it detects on the 
network to this file and assigns them default thresholds. 


When you start a monitoring session. 

When you exit the Manage Station Information view after making changes. 
When you stop and then restart a monitoring session. 

When you edit the file with a text editor. 

When you exit the Ethernet Monitor. 

STARTUP.END—ASCII file that holds station names and addresses. Like the 
STARTUP.ENA file, this file is created as you use the Ethernet Monitor. You can 
enter station names automatically (if you use NetBIOS), with the Mana ge Stations 


Information view, or with a text editor. If you are running the LattisNet software, 
you can also use the information in its files. 
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Read: When you start a monitoring session. 
Written: When you use the Probe for names function to add station names. 
When you exit the Manage Station Information view after adding names. 
When you stop and then restart a monitoring session. 
When you edit the file with a text editor. 
When you exit the Ethernet Monitor. 
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The Configuration Program 


This section describes the configuration options, including the network card 
settings for the network interface card and the monitor settings that define the 
monitoring parameters. 


CONFIGURATION OPTIOXS--—= 
Network General Copyright 1988 - 1990 


Network Card Settings Monitor Settings 


[1/0 Address = 300 Maximum Stations = 1024 ¢ 
DMA Channel = 6 History Length = 100 < 
Address Style = Standard 


==[se the Arrow keys to move, or ENTER to change this value 


Figure 47. The Configuration Options view . 
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Options 


I/O Address—Defines the network card’s base I/O address, which is the memory 
location in the host processor’s I/O port used to control the network interface card. 


DMA Channel—specifies the memory access channel used to transfer data 
between the network card and the CPU. 


Maximum Stations—Defines the maximum number of stations to monitor (to 
1024). 


History Length—Defines the number of intervals recorded for history statistics (to 
1750). 


Address Style—Defines the predominant Ethernet address style used (standard or 
DEC). DEC’s addressing scheme differs from most others in that the second to the 
last byte (instead of the last byte) is the most varied. Choosing DEC as the address 
style tells the Ethernet Monitor to look at that byte first, which enhances 
performance if most of your stations use DEC network cards. 


Note: Increasing the number of stations on the network or collecting more 
intervals increases the amount of RAM used by the ENMONDRV program. 
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The Ethernet Monitor Menu Items 


This section describes each menu item in the order it appears in the Ethernet 
Monitor’s main menu, along with any associated options. For options that display 
additional information, such as the Global Statistics view associated with the 
Display option, there is also an explanation of each item in the view. 


Network 
General 


Ethernet Sniffer 
Network Monitor 
Version 1.00 


(C) Copyright 
1988 - 1990 


Station test 
Monitor filters 


Histor 
aah 
Report 


Manage stations 
Exit 


Display traffic statistics. 
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Single station 
All stations 
Frame sizes 
Ethertypes 
Alarm log 
Global history 
Station history 


Class 


Network usage 


Tse the Arrow keys to move, or ENTER to do this functiom——— 


il 
Help 


Figure 48. The Ethernet Monitor main menu. 


10 New 
monitor 
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Station test 


Options 


Tests for station response, using the protocols listed below. To use the NetBIOS 
option, you need to install a second network interface card and load NetBIOS 
software for that card. 


To = —Displays the station list, from which you can choose the station you want to 
test. To move through the list quickly, type the first character of the station’s 
name. 

IEEE 802.2—Sends an IEEE 802.2 test frame. 

XNS Echo—Sends an XNS Echo test frame. 

DIX LOOP—Sends an Ethernet V2 loopback test frame. 


NetBIOS—Performs a NetBIOS remote status request command. 


Monitor filters 


Options 


History 


Lets you choose between monitoring all stations or monitoring only those stations 
that communicate with one specified station. 


All stations—Monitors all stations. 


Stn = —Displays the station list, from which you can choose the station to which to 
limit monitoring. To move through the list quickly, type the first character of the 
station’s name. 


Lets you specify the history interval and designate a station for which history 
Statistics are collected. The history interval determines how often the Ethernet 
Monitor records history statistics. You can determine the total number of intervals 
collected in the configuration procedure. 


Note that changing these settings erases any previous history statistics. To save 
them, generate a report. 
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Options 


Display 


Options 


Reference: The Menu Items 


Stn =—Displays the station list, from which you can choose the station you want 
monitor. To move through the list quickly, type the first character of the station’s 
name. 


Interval—Displays a dialog box that lets you change the interval in the mmiss 
format (between 00:05 and 60:00). 


Displays collected statistics in a variety of ways. These displays are called 
“views.” 


Global statistics—Displays traffic statistics for the network as a whole 
Single station—Displays traffic statistics for a specific station. 


All stations—Displays selected statistics, sorted according to your specifications, 
for all stations. 


Frame sizes—Displays a distribution of frame sizes. 


Ethertypes—Displays a distribution of Ethertypes, measured either in bytes or 
frames. 


Alarm log—Displays a list of alarms generated in the current monitoring session 
that have not been cleared. 


Global history—Displays a history of activity for the entire network. 
Station history—Displays a history of activity for a specific station. 


Each of these options displays a different view of the statistics. The options 


to 


associated with each view and the information displayed on the screen is described 


in more detail for each view in the following pages. 


Display Global Statistics 


This view provides a high-level view of network activity for all stations for the 
current monitoring session. 
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Options 


Numeric—Displays global statistics as columns of numbers, including updated 
traffic counts, error counts, and timestamps (Figure 49). 


Graphic—Displays traffic counts in the top portion and a graph of absolute 
network usage over a 60-second period in the bottom portion (Figure 50). 


Information Displayed: Numeric 


Traffic Counts 


Total Stations 26 Active Stations 
Average Usage : Current Usage 
Total Frames } Current Frames 
Total Bytes Current Bytes 
Avg Frame Size 145 Avg Frame Size 


Error Counts Timestamps 


CRC Errors Monitor Started Mar 07 14:49:07 
Alignment Errors Monitor Active 0 day(s) 00:00:45 


Total Frame Errors 
First Activity Mar 07 14:49:08 


Unsaved Frames Last Activity Mar 07 14:49:52 
Missed Frames Network Active 0 day(s) 00:00:44 


Count Overf lows 
5 6Disply| OFreeze—i0 Stop 
Menus foptions displayfimonitor 


Figure 49. Global Statistics view: numeric. 


Traffic Counts 


Counts on the left show the amount of activity monitored since the monitoring was 
started. Counts on the right show current activity for the last second. 


Total Stations—Displays the total number of stations that have transmitted 
frames. 


Average Usage—LDisplays the average percentage of utilization of the network’s 
absolute capacity. 


Total Frames—Displays the total number of frames transmitted. 


Total Bytes—Displays the total number of bytes transmitted. 
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Avg Frame Size—Displays the average size of transmitted frames (Total Bytes / 
Total Frames). 


Active Stations—Displays the number of stations that transmitted frames in the 
last second. 


Current Usage—Displays the average percentage of absolute utilization of the 
network’s capacity during the last second. 


Current Frames—Displays the number of frames transmitted in the last second. 
Current Bytes—Displays the number of bytes transmitted in the last second. 


Avg Frame Size—Displays the average size of transmitted frames for the last 
second (Total Bytes / Total Frames). 


Error Counts 
Note: The Ethernet Monitor may not detect all errors. 
CRC Errors—Displays the number of frames transmitted with CRC errors. 


Alignment Errors—Displays the number of frames transmitted with alignment 
errors. 


Total Frame Errors— Displays the total number of bad frames. 


Unsaved Frames—Displays the number of frames the Ethernet Monitor could not 
save to memory. This number should be extremely low. 


Missed Frames—Displays the number of frames the Ethernet Monitor could not 
analyze. This number is usually 0. 


Count Overflows—If this number is not 0, it means that a counter has exceeded its 
maximum limit and that one or more values are incorrect. To reset the counters, 
start a new monitoring session. 


Timestamps 


Monitor Started—Displays the date and time the current monitoring session 
started. 


Monitor Active—Displays the length of the current monitoring session. 
First Activity—Displays the date and time the first frame was transmitted. 
Last Activity—Displays the date and time the most recent frame was transmitted. 


Network Active—Displays the amount of time between the first and most recent 
frame transmitted. 
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In addition to these timestamps, the current time and date display in the view’s 
upper right corner. 


Information Displayed: Graphic 


LOBAL STATISTICS 
Traffic Counts 


Total Stations 26 Active Stations 
Average Usage : Current Usage 
Total Frames ; Current Frames 
Total Bytes Current Bytes 
Avg Frame Size 149 Avg Frame Size 


D ODisply—7 Scalel8 Scale¥Orreeze¥i10 Stop 
Menus fMoptions™ up down fidisplayfimonitor 


Figure 50. Global Statistics view: graphic. 


The top portion of the view displays traffic counts identical to those in the numeric 
view. The graph in the bottom portion shows absolute network usage over a 60- 
second period. The graph updates at one-second intervals, moving across the view 
from right to left. The current time and date display in the upper-right corner of 
the view. 


You can scale the usage axis to display the desired level of detail by pressing F7 
(Scale up), F8 (Scale down), or the up and down Arrow keys. 
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Display Single Station 


This view provides a high-level view of current activity for a selected station. 


Options 


Stn =—Displays a list of stations from which you choose a station for which to 
display statistics. 


Numeric—Displays traffic statistics for the selected station as columns of numbers, 
including transmissions, receptions, and both (Figure 51). 


Graphic—Displays traffic statistics for transmissions, receptions, or both, 
depending on the Class option you choose. The graph in the bottom portion 
shows either absolute or relative network usage by the station over a 60-second 
period (Figure 52). 


Class—Displays either transmissions, receptions, or both. 
Network usage—Displays either absolute or relative usage counts. 


Information Displayed: Numeric 


SINGLE STATION Mar 07 14:52: 

Traffic TO and FROM Station 

Current Usage 0.37 % 

Station: File Server Average Usage 0.54 % 
Total Frames 9, 224 
Last sent to: Helene Milici Total Errors 7 
Last rev from: Jack Clayton Total Bytes 1, 430, 836 
Avg Frame Size 155 


Traffic FROM Station Traffic TO Station 


Current Usage : Current Usage 

Average Usage ; Average Usage 

Total Frames Total Frames 

Total Errors 4 Total Errors 

Total Bytes Total Bytes 

Avg Frame Size al Avg Frame Size 

Start Time Mar 07 14:49:08 Start Time Mar 07 14:49:08 
End Time Mar 07 14:52:38 End Time Mar 07 14:52:38 
Elapsed 0 day(s) 00:03:30 Elapsed 0 day(s) 00:03:30 


5 6Disply OFreezesi0 Stop 
Menus foptions displaygimonitor 


Figure 51. Single Station view: numeric. 
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The top portion shows traffic counts for both transmissions and receptions for a 
selected station. The lower-left portion shows counts for transmissions, the lower- 
right portion shows counts for receptions. The current time and date display in the 
upper-right corner of the view. 

Station:—Displays the name of the station for which statistics appear. 


Last sent to:—Displays the destination address or name of the station to which the 
most recent frame was transmitted. 


Last rcv from:—Displays the source address or name of the station from which the 
most recent frame was received. 


TO and FROM Station 


Current Usage—Displays the percentage of utilization in the last second for both 
transmissions and receptions. 


Average Usage—LDisplays the average percentage of utilization for both 
transmissions and receptions. 


Total Frames—Displays the total number of frames transmitted and received. 


Total Errors—Displays the total number of bad frames transmitted and received. 
Note that the Ethernet Monitor may not be able to detect all errors. 


Total Bytes—Displays the total number of bytes transmitted and received. 


Avg Frame Size—Displays the average size of frames transmitted and received. 


FROM Station 


Current Usage—Displays the percentage of utilization for transmissions in the last 
second. 


Average Usage—Displays the average percentage of utilization for transmissions. 
Total Frames—Displays the total number of frames transmitted. 


Total Errors—Displays the total number of bad frames transmitted. Note that the 
Ethernet Monitor may not be able to detect all errors. 


Total Bytes—Displays the total number of bytes transmitted. 
Avg Frame Size—Displays the average size of frames transmitted. 
Start Time—Displays the date and time the first frame was transmitted. 


End Time—Displays the date and time the most recent frame was transmitted. 
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Elapsed—Displays the amount of time between the transmission of the first and 
most recent frames. 


TO Station 


Current Usage—Displays the percentage of utilization for receptions in the last 
second. 


Average Usage—Displays the average percentage of utilization for receptions. 
Total Frames—Displays the total number of frames received. 

Total Errors—Displays the total number of bad frames received. 

Total Bytes—Displays the total number of bytes received. 

Avg Frame Size—Displays the average size of frames received. 

Start Time—Displays the date and time the first frame was received. 

End Time—Displays the date and time the most recent frame was received. 


Elapsed—Displays the amount of time between the first and most recent frames 
received. 


Information Displayed: Graphic 


SINGLE STATION Mar 07 14:54: 

Traffic TO and FROM Station 

Current Usage 1.02 % 

Station: File Server Average Usage 0.54 % 
Total Frames 13, 802 
Last sent to: Ed Hicks Total Errors 19 
Last rev from: Jack Clayton Total Bytes 2, 138, 987 
Avg Frame Size 154 


A 
b 
s 
U 
s 
a 
g 
e 


Figure 52. Single Station view: graphic. 
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The statistics in the top portion of the graphic view are identical to those displayed 
in one of the portions in the numeric view, depending on the Class option you 
choose. 


Station:—Displays the name of the station for which statistics appear. 


Last sent to:—Displays the destination address or name of the station to which the 
most recent frame was transmitted. 


Last rcv from:—Displays the source address or name of the station from which the 
most recent frame was received. 


Current Usage—Displays the percentage of utilization in the last second for 
transmissions, receptions, or both. 


Average Usage—Displays the average size of frames transmitted, received, or 
both. 


Total Frames—Displays the total number of frames transmitted, received, or both. 


Total Errors—Displays the total number of bad frames transmitted, received, or 
both. Note that the Ethernet Monitor may not be able to detect all errors. 


Total Bytes—Displays the total number of bytes transmitted, received, or both. 


Avg Frame Size—Displays the average size of frames transmitted, received, or 
both. 


The graph in the bottom portion of the Single Station view (Figure 52) shows 
either absolute or relative network usage by the station over a 60-second period. 
The graph updates at one-second intervals, moving across the view from right to 
left. The current time and date display in the view’s upper-right corner. 


You can scale the usage axis to display the desired level of detail by pressing F7 
(Scale up), F8 (Scale down), or the up or down Arrow keys. 
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Display All Stations 


This view shows statistics for each station in the entire network. The numeric view 
lets you display any statistics you choose, sorted by the statistic of your choice (the 
sort key). The graphic view displays and illustrates usage statistics, also sorted by 
a sort key you define. 


Options 


Numeric Displays statistics as columns of numbers, for up to 20 stations at a 
time. You can choose which statistics to display, how to display them (see other 
options), and how to sort them. 


To see statistics for additional stations, press F3 (Prev station) and F4 (Next 
station), the up or down Arrow keys, or the Home and End keys. To see statistics 
that do not fit on the screen, use the left or right Arrow keys. 


ABSOLUTE TRAFFIC STATISTICS TO AND FROM STATIONS Mar 07 14:59:27 
Station Frames Errs Bytes Size %Usage 

1 File Server 16, 165 55 

Print Server 11, 164 

es In 

Alex Zwic' 

James Vylie 

Michael Harley 

Tom Brown 

Jill Franz 

Miles Russell 

George Stanley 

Ves ing 

Jack Clayton 

Ken Quinn 

Linus Stanwick 

Barbara Lemmon 

Fred Biddle 

Anthony Serrao 

Denise Martin 

Ed Hicks 

Steven Anderson 1,135 


3 Prevgd Next 6Disply OFreeze—i0 Stop 
station—istation]] Menus fMoptions displaygmonitor 


Figure 53. All Stations view: numeric. 
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To see statistics for additional stations, press F3 (Prev station) and F4 (Next 
station), the up or down Arrow keys, or the Home and End keys. To see statistics 
that do not fit on the screen, use the left or right Arrow keys. 


Graphic—The bottom portion displays absolute or relative usage statistics for up 
to 10 stations at a time, sorted by the sort key you selected. 
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The top portion shows statistics for the displayed stations as a graph, with 
transmissions, receptions, and both counts appearing in different colors or 
intensities. 


To see statistics for stations that are off the screen, press F3 (Prev station) or F4 
(Next station). You can also scale the usage axis to display the desired level of 
detail by pressing F7 (Scale up) or F8 (Scale down). 


4 7 8 9 


5 6 
Legend: BOTH FROM TO 


1 File Server 66.22 % 6 George Stanley 
2 Print Server 33.16 % 7 Mark Ellison 
3 Fred Biddle 10.11 % 8 Robert Hayes 
4 Ed Hicks 8.29 % 9 Tom Brown 

5 Alex Zwick 6.40 % 10 James Wylie 


Ko: 
1 3 Prevald Next ODisply—? Scalef8 ScalesoFreeze—ii0 Stop 
Help Stationgstationg Henus fMoptions™ up down fidisplayfimonitor 
Figure 54. All Stations view: graphic. 
Class—Displays either transmission, reception, or both. 


Network usage—Displays either absolute or relative usage. 


Ascending—Displays statistics from the lowest to the highest, as defined by the 
sort key. 


Descending—Displays statistics from the highest to the lowest, as defined by the 
sort key. 


Sort by—Displays a list of fields from which you select the sort key, including: 


Partner’s name—displays the name of the last station that communicated 
with the station. 


Frames—displays the total number of frames transmitted, received, or both. 


Errors—displays the total number of bad frames transmitted, received, or 
both. 
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Bytes—displays the total number of bytes transmitted, received, or both 
(equivalent to usage). 


Average size—displays the average size of the frames transmitted, received, 
or both. 


First activity—displays the date and time that the first frame was transmitted 
or received. 


Last activity—displays the date and time that the most recent frame was 
transmitted or received. 


Elapsed activity—displays the amount of time between the first and most 
recently recorded frame. 


For the numeric view, you can choose which statistics to display by pressing the 
Spacebar to flag the item with a ¥ mark or an x. The list of statistics includes all 
the items in the Sort by option (above), as well as two additional items: 


Active stns only—displays only stations that are currently transmitting. 


Network usage—displays the percentage of absolute or relative network 
utilization. 
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Display Frame Sizes 


Shows how many frames fall into each predefined size category and what 
percentage of frames each category comprises. The graph illustrates these numbers. 


Information Displayed: 


sZ3—_—_—$ <<< —<—ir Ob i065 


Size Frames Percent 60 80 100 


60 

61- 128 
129- 256 
20/- 512 
513-1024 
1025-1514 
over 1514 


D 6Disply OFreeze—i10 Stop 
Menus fMoptions display—imonitor 


Figure 55. Frame Sizes view. 

Size—Displays the size categories used to classify the frames. 
Frames—LDisplays the total number of frames for each size category. 
Percent—Displays the percentage of frames for each size category. 


The graph illustrates these percentages. 


Display Ethertypes 


Displays the number and percentage of either bytes or frames used by each of the 
network protocols and illustrates these numbers with bar graphs. 


Note: For instructions about editing the STARTUP.ENT file, see Appendix E, 
“Ethertype Values.” 
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Options 
Bytes—Displays the number and percentage of total bytes. 


Frames—Displays the number and percentage of total frames. 


Information Displayed: 


ETHERTYPES————_—_—_—4_4444——- Kar 31 19:09:47. 


Ethertype Frames ‘%Total 0 20 40 60 80 100 


5 6Disply QFreezegi0 Stop 
Menus fMoptions display—monitor 


Figure 56. Ethertypes view. 
Ethertype—Displays a breakdown of Ethertypes used. 


Bytes (Frames)—Displays the total number of bytes (or frames) used by each 
Ethertype. 


% Total—Displays the total percentage of bytes (or frames) used by each 
Ethertype. 


The graph illustrates these figures. 


Display Alarm Log 


Lists up to 200 alarms generated in the current monitoring session that have not 
been cleared. You can also acknowledge and clear alarms from the Alarm Log 
view. You can log this information to a printer or to disk with the Alarm menu 
item. 
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Information Displayed: 


ALARK | SaaS ESSE ahr eaRDERE TRE SETS: os 02 43: _ y 
Priorit Source Type/Description 
Warning Apr ; oe Milici ; or more frame errors 
DIE erver or more frame errors 
Critical :28: inne Ellison Rel usage exceeded 25% 
Warning :29:29 Print Server 5 or more frame errors 
Warning uals Ed Hicks 5 or more frame errors 
Major 134: Ken Quinn Idle 4 minute 
Warning :36: George Stanley 5 or more frame errors 
Warning 339: Miles Russell 5 or more frame errors 
Warning :40:18 Fred Biddle 5 or more frame errors 
Critical :40:26 Michael Harley Rel usage exceeded 25% 
Warning 42: 47: 43 William Griffith 5 or more frame errors 


rPOOWDAMNOL WwW 


a 


3 Ack §4Clear 5 6Disply 10 Stop 
Help alarm § alarm § Menus #Moptions monitor 


Figure 57. Alarm Log view. 


Priority—Displays the priority level of the network event that triggered the alarm. 
Time—Displays the time the event occurred. 

Source—Displays the name of the station that triggered the alarm. 
Type/Description—Displays the type of event. 

Ack—Lets you track which alarms were acknowledged. 


The upper right corner shows the current time. 


Special Function Keys: 


F3 (Ack alarm—Puts a V¥ mark in the Ack column. Turns off audible click if that 
alarm exceeded the indicator threshold. 


F4 (Clear alarm)—Erases the alarm from the alarm buffer. 
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Display Global History 


Options 


Displays a history of activity for the entire network at intervals you determine. 


Numeric—Displays history statistics as columns of numbers, including the interval 
number and time, the number of frames, errors, and bytes, the average size per 
frame, and the percentage of usage during each interval (Figure 58). 


Graphic—Displays the interval number and time and the percentage of usage 
during that interval. The graph illustrates the percentage of absolute usage for 
each recorded interval (Figure 59). 
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Information Displayed: Numeric 
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Figure 58. Global History Statistics view: numeric. 


The column of numbers identifies the interval number, with the most recently 
recorded interval at the top of the screen. 


Time—Displays the date and time of each interval. 

Frames—Displays the number of frames recorded for each interval. 
Errs—Displays the number of errors recorded for each interval. 
Bytes—Displays the number of bytes recorded for each interval. 
Size—Displays the average size of the frames recorded for each interval. 
% Usage—Displays the percentage of absolute usage for each interval. 


The upper right corner shows the current date and time. 
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Figure 59. Global History Statistics view: graphic. 


The column of numbers identifies the interval number, with the most recently 
recorded interval at the top of the screen. 


Time—Displays the date and time of each interval. 
% Usage—Displays the percentage of absolute usage for each interval. 


The graph illustrates the percentage of absolute usage for each interval. You can 


scale the usage axis to display the desired level of detail by pressing F7 (Scale up), 


F8 (Scale down), or the right or left Arrow keys. 


The upper right corner shows the current date and time. 
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Display Station History 


Options 


Displays a history of activity for a selected station or address at intervals you 
determine. The title identifies the station as well as whether statistics represent 
transmissions, receptions, or both, and whether they show absolute or relative 
network usage. If you do not select a station, these statistics are collected for the 
default address (Broadcast). 


Numeric Displays station history statistics as columns of numbers, including the 
interval number and time, the number of frames, errors, and bytes, the average 
size per frame, and the percentage of usage during each interval. 


Class—Displays either transmissions, receptions, or both. 


Network usage—Displays either absolute or relative usage. 


Graphic _ Displays the interval number and time, and the percentage of either 
absolute or relative usage during that interval. The graph illustrates the 
percentage of usage for each recorded interval. 


Class—Displays either transmissions, receptions, or both. 
Network usage—Displays either absolute or relative usage. 
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Figure 60. Station History Statistics view: numeric. 
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The column of numbers identifies the interval number, with the most recently 
recorded interval at the top of the screen. 


Time—LDisplays the date and time of each interval. 

Frames—Displays the number of frames recorded for each interval. 
Errs—Displays the number of errors recorded for each interval. 

Bytes—Displays the number of bytes recorded for each interval. 

Size—Displays the average size of the frames recorded for each interval. 

% Usage—Displays the percentage of absolute or relative usage for each interval. 


Information Displayed: Graphic 
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Figure 61. Station History Statistics view: graphic. 


The column of numbers identifies the interval number, with the most recently 
recorded interval at the top of the screen. 


Time—Displays the date and time of each interval. 
% Usage—Displays the percentage of absolute or relative usage for each interval. 


The graph illustrates the percentage of either absolute or relative usage for each 
interval. You can scale the usage axis to display the desired level of detail by 
pressing F7 (Scale up), F8 (Scale down), or by pressing the right or left Arrow keys. 
The upper right corner shows the current date and time. 
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Alarm 


Options 


Lets you clear alarms from the alarm buffer automatically, set alarm thresholds, set 
audible alarm indicator thresholds, and determine where to send the alarm log. 


Note: In addition to alarms generated when alarms exceed alarm thresholds you 
define, the Ethernet Monitor automatically generates an alarm when it detects a 
frame larger than 1514 bytes or if the Broadcast address appears as a source 
address. 


Auto clear =—Lets you set an interval (1 minute to 99 hours) before the Ethernet Monitor 


automatically clears each alarm to make room in the alarm buffer. To make sure 
alarms are not lost, use the Log to option to specify a printer or disk file to which 
alarms are sent. To turn the Auto clear option off, choose 0. 


Thresholds—Lets you specify alarm thresholds. 


Global—Defines global alarm thresholds. For the Errors, Usage, and Broadcast 
alarm thresholds, you can define an interval that determines the period of time (5 
seconds to 60 minutes) used to measure whether thresholds have been exceeded. 
After each interval, the count resets to 0. 


Unknown station—Determines whether an address not found in the address table 
triggers an alarm. 


Errors—Defines the number (1 to 65535) of bad frames on the network that triggers 
an alarm. 


Usage—Defines the percentage (1 to 100%) of absolute network usage before 
triggering an alarm. 


Broadcast—Specifies the number of frames that can be sent to the broadcast 
address before triggering an alarm. 


Idle—Defines the length of time (1 to 120 minutes) the network can be inactive 
before triggering an alarm. 


Station defaults—Defines station defaults to apply to new stations as they are 
detected on the network, including: 


Errors—Defines the number (1 to 65535) of bad frames a station can transmit 
before triggering an alarm. 


No response—Defines how long (1 to 7 seconds) a station can be sent frames 
without responding before triggering an alarm. 


Idle—Defines the length of time (1 to 120 minutes) the station can operate without 
transmitting before triggering an alarm. 


Usage—Defines the percentage of network traffic (1 to 100%) the station can 
generate before triggering an alarm. 
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Priority—Defines the importance of alarms for a given station, including Inform, 
Warning, Minor, Major, and Critical. 


Log to—Lets you specify where to send the alarm log. 


Printer—Sends the alarm log to the specified printer and lets you set the page size. 


File—Sends the alarm log to a disk file (ALARM.LOG). Also lets you determine 
whether the current alarm log is appended to the log file from the previous 
monitoring session, or whether it overwrites that file. 


Audible indicators—Lets you specify how many alarms (1 to 200) trigger each of the three 
types of audible clicks. 


Audible alarms—Turns off audible indicators when marked with an x (press 
Spacebar to change option). 


Low = —Determines how many alarms trigger a low click. This threshold must be 
lower than the medium setting. Enter 0 to turn it off. 


Medium = —Determines how many alarms trigger a medium click. This threshold 
must be lower than the high setting. Enter 0 to turn it off. 


High = —Determines how many alarms trigger a high click. Enter 0 to turn it off. 
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Report 


Options 


Load 


Edit 


Save 


Clear 


Lets you generate reports based on report scripts. You can print the resulting 
reports and save them as files, in either standard or CSV (comma-separated values) 
format. The Report Script Editor view lets you modify report scripts to customize 
reports to your needs. 


Loads an existing report script which you can use to generate a report or to edit 
before generating a report. The Ethernet Monitor searches for these scripts in the 
subdirectory CAPTURE, below the directory that holds the other Ethernet Monitor 
files. The Ethernet Monitor comes with the following reports: 


ERRORS—Provides statistics for the 10 stations that transmitted the most frames 
with errors during the most recent monitoring session. To appear in this report, a 
station must have transmitted at least five frames with errors. 


HISTORY—Provides global history information for the 30 most recent intervals. 
Use or modify this report to save history statistics. 


TALKERS—Provides statistics for the 10 stations that transmitted the most traffic 
during the most recent monitoring session. 


LISTENERS—Provides statistics for the 10 stations that received the most traffic 
during the most recent monitoring session. 


USERLIST—Lists the physical addresses and names of all stations, sorted in 
descending order by name. 


USERS—Provides transmit and receive statistics for all stations, sorted in 
ascending order by name. 


USERSCS V—Provides the same information as the USERS report, but ina 
delimited format that allows you to import the information into spreadsheets and 
other applications. 


(For more information on these reports, see “Ethernet Monitor Sample Reports: 
An Overview,” in Chapter 6.) 


Displays the last report script loaded and enables the Report Script Editor view. 
(See “The Report Script Editor,” below.) 


Lets you save a report script you created or modified. 


Erases the contents of the last report script loaded. 
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Print Creates a report based on the current report script. When printing, you can specify 


the printer and the number of lines per page. When saving to disk, you can specify 
normal or CSV file format. 


The Report Script Editor 


F2 


F3 


F4 


F6 


F7 


F8 


F9 


The Report Script Editor view (reached with Report/Edit) lets you modify the last 
report script that was loaded. Its functions are accessible through the special 
function keys associated with this view. 


(Insert field) Displays a list of statistics you can include in the report. When you 
select one of these, the Ethernet Monitor inserts a code into the script. Whenever 
you preview, print, or save a report based on this script, the Ethernet Monitor 
inserts the current statistics. 

(Insert line) Inserts a blank line into the report script. 

(Delete line) Deletes the line that contains the cursor from the report script. 

(Edit options) Provides the Load, Save, Clear, and Print options. These options are 
also available from the Report submenu option. The Report Settings option 
provides access to Sort by and Filter. (See “The Report Settings,” below.) 

(Chars) Lists the special characters you can display. 

(Repeat char) Repeats special characters for continuous lines or borders. 

(Screen test) Provides a preview of the current report on screen. 

The Report Settings 

Function key F6 (Edit options) in the Report Script Editor view accesses the Report 
Settings option, which lets you define a sort key that determines how the report is 


sorted. In addition, the Filter option lets you limit the number of stations 
displayed. 


Sort by—Displays a list of fields from which you select the sort key, including: 


To—Displays frames received by the station. 
From—Displays frames transmitted by the station. 
Both—Displays frames transmitted and received by the station. 


Ascending—Uses selected sort key to arrange stations from lowest to highest 
value. 


Descending—Uses selected sort key to arrange stations from highest to lowest 
value. 


Partner’s name—Displays the name of the last station that communicated with 
station. 


121 


Sniffer Advanced Ethernet Network Monitor User’s Manual 


Filters 


Frames—Displays the total of frames recorded. 

Errors—Displays the total of bad frames recorded. 

Bytes—Displays the total of bytes recorded. 

Average size—Displays the average size of the frames recorded. 

First activity—Displays the date and time of the first frame recorded. 

Last activity—Displays the date and time of the most recent frame recorded. 


Elapsed activity—Displays the amount of time between the first and most recent 
recorded frame. 


You can set up one or two filters that limit the statistics displayed by defining 
minimum and maximum values on the following fields: 


Note: If you choose two filters with the AND option, the statistics must pass the 
parameters defined for both filters. If you choose the OR option, statistics need 
only pass the parameters defined for either filter. 

To—lIncludes only frames received by the station. 

From—lIncludes only frames transmitted by the station. 


Both—Includes both transmitted and received frames. 


Sort position—Includes the statistics with either the highest or lowest values, 
depending on whether you sorted in ascending or descending order. 


Name—lIncludes only those station names that fall in an alphabetical range, such 
as all names that start with the letters “se.” 


Partner’s name—Includes only those partners’ names that fall within an 
alphabetical range. 


Frames—lIncludes only the range of frames specified (0 to 4,294,967,295). 
Errors—Includes only the range of bad frames specified (0 to 65,535). 
Bytes—Includes only the range of bytes specified (0 to 999,999,999,999). 
Average size—Includes only the range of average sizes specified (60 to 1,514). 


First activity—Includes only first activities in the date and time ranges specified 
(0 to 49 days). 


Last activity—Includes only last activities in the date and time ranges specified 
(0 to 49 days). 


Elapsed activity—Includes only activities that fall within the range between first 
and last activities (0 to 49 days). 
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Address—Includes only addresses in the range specified (each address uses 6 
bytes, from 00 00 00 - 00 00 00 to FF FF FF - FF FF FF ). 


Absolute usage—Includes only absolute usage percentages in the range specified 
(0 to 100%). 


Relative usage—Includes only relative usage percentages in the range specified 
(0 to 100%). 


Sniffer Advanced Ethernet Network Monitor User's Manual 


Manage Station Information 


Options 


Lets you edit station names and alarm thresholds in the Ethernet Monitor 
database. 


Edit Displays the Manage Station Information view: 
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Figure 62. Manage Station Information view. 


This view lets you edit station names and the following station alarm thresholds: 


Name—Lets you assign a station name to each address (up to 16 printable ASCII 
characters). 


Errors—Lets you define the number of bad frames (1 to 65535) a station can 
transmit before triggering an alarm. 


No response—Lets you define how long (1 to 7 seconds) a station can be sent 
frames without responding before triggering an alarm (Broadcast frames don’t 
count). 


Idle—Lets you define the length of time (1 to 120 minutes) the station can operate 
without transmitting before triggering an alarm. 
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% Usage—Lets you define the percentage of network traffic (1 to 100%) the station 
can generate before triggering an alarm. 


Priority—Lets you define the importance of a station’s alarms. This can be Inform, 
Warning, Minor, Major, or Critical. 


Reset thresholds—Resets all station alarm thresholds to the default settings in the current 


database (the STARTUP.ENA and STARTUP.END files). 


Probe for names—Tries to assign names automatically using the NetBIOS remote status 


command. To use this option, you must have a second network card that is 
running NetBIOS. In addition, a responding station must be active and running 
the NetBIOS software. 


Terminates the Ethernet Monitor's foreground program and redisplays the Main 
selection menu. 


Writes the following files: STARTUP.ENB, STARTUP.ENA, and STARTUP.END. 


Although you can continue to monitor in the background after you exit the 
Ethernet Monitor, you cannot log alarms, clear the alarm log, or control the audible 
alarm indicators. 
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Appendix A. Networks: A Review 


This appendix provides basic information about how Ethernet LANs work, 
including: 

¢ physical network components 

e addresses 

¢ bandwidth 


The Physical Network 


Although networks are usually identified by their network operating system (for 
example, Novell NetWare, Banyan Vines, 3Com 3+Open, etc.), managing a 
network requires an understanding of the underlying network hardware. The 
most popular network architectures are: Ethernet, Token-Ring, ARCNET, and 
StarLAN. Although each architecture operates according to a different standard, 
all contain the same basic elements: network interface cards, cabling, and network 
hardware. 


The Network Interface Card 


Frames 


The network interface card is the basic building block of network hardware. 
Personal computers, workstations, and other devices access the network through 
these cards. The network software programs the card to transmit and receive data 
across the network cabling. 


Data is broken down into frames before being transmitted across the network. 
Frames are measured in bytes. The number of bytes in each frame varies within 
the minimum and maximum values set by the network hardware. 


Frames are organized as follows: 


Dest. address Protocols and data 


The first field in a frame is the address of the station to which the frame is 
transmitted. The first six hexadecimal digits usually make up the vendor ID 
assigned by the IEEE (Institute of Electrical and Electronic Engineers). The second 
field is the physical address of the station that transmits the frame. The remainder 
of the frame contains the protocols used by the network software and the data. 
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Physical Addresses 


The physical addresses used in Ethernet frames are six bytes long, and are usually 
represented as 12 hexadecimal digits. An example of an Ethernet address is 2C 00 
64 01 OB 31. 


Individual Addresses 


The addresses used in frames correspond to the stations on the network. Each 
station has a unique physical address. These addresses allow frames to be sent to a 
single station on the network. Since only a single station receives the frame, the 
other stations do not have the overhead of receiving unnecessary frames. 


The only rule for individual addresses is that the least significant bit of the first 
byte must be a Zero value. For example, 2C 00 64 01 OB 31 is a valid address; 2D 00 
64 01 OB 31 is not. In addition to the individual addresses for each station, 
networks can also use Broadcast and Multicast addresses. 


The Broadcast Address 


The Broadcast address has special significance to your network. A frame with this 
address in the destination field (a Broadcast frame) is received by every station on 
your network. This address is typically used when a station first becomes active 
on the network. The station sends a Broadcast address with protocol information 
that specifies which stations should respond. The value of a Broadcast address for 
Ethernet networks is FF FF FF FF FF FF. 


Multicast Addresses 


Multicast addresses are sometimes referred to as “group addresses.” Using a 
Multicast address allows more than a single station to receive a frame, without 
every station on the network receiving it. The only rules for Multicast addresses 
are that the least significant bit of the first byte must be a 1 value and that at least 
one bit must be a 0 value (all 1s is the Broadcast Address). An example of a valid 
Multicast address is 2D 00 64 01 OB 31. 


Network software that uses Multicast addresses usually sets aside specific 
addresses for certain functions. For example, a station can periodically transmit 
frames to a specific Multicast address to check for the presence of a router. These 
frames are not received by all stations on the network. 


Bandwidth 


The amount of information that can be transmitted on the network is limited by the 
network’s bandwidth. The bandwidth represents the network’s absolute capacity. 
Bandwidth is usually measured as the number of bits of data that can be 
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transmitted in a single second. For example, Ethernet’s bandwidth is 10Mb/s (10 
megabits per second). As your network grows, it is possible that performance may 
be limited by the available bandwidth. 
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Appendix B. Functional Overview 


Figure 63 shows how various Ethernet Monitor processes, functions, and files 
interact. Lettered callouts identify the processes, which are described 


below. 
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Figure 63. Ethernet Monitor Processes 
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Connection to the Ethernet bus. 


Monitor on/off function. Turns on or off the network monitor. The Network 
monitor starts a memory-resident background process that examines all 
frames on the network. 


Test functions. Tests network cabling, checks a specified station’s response to 
a test frame, and queries NetBIOS stations for their registered names. 


Monitor filter. Sets up a filter to pass to the program’s routines either all 
frames or only those frames that contain a specified station’s address. 


History filter. Sets up a filter to collect history statistics for one designated 
station. Lets the user change the interval over which history statistics are 
collected. 


Background statistics buffers. A RAM buffer that accepts data from the 
background process and maintains timestamps and incremented counts. 


Alarm thresholds table. A RAM table that contains reference values used to 
determine when alarms should be triggered. Initially, it contains the global 
and station default values, which you can change. 


Alarm detector. A background routine that compares values in the statistics 
buffers with the Alarm thresholds table to determine whether an alarm should 
be triggered. 


Alarm buffer. A RAM table that holds up to 200 separate alarm entries. 
Alarms that occur when this buffer is full are deferred (and may be lost) until 
current alarms are cleared, either manually or automatically. 


Click logic. A background routine that determines which of the audible click 
states should be active: off, low, medium, or high. 


Alarm control. Lets the user acknowledge and clear alarms, set thresholds for 
three levels of audible clicks, or turn the clicking on or off. 


Alarm logging. Enables automatic logging of alarms in the alarm buffer to a 
printer or to disk. 


. Foreground statistics buffer. A RAM buffer created by copying data from the 


background buffer. The foreground buffer is used for the display, report, and 
other functions. Both buffers are updated as new frames are monitored. 


Station database table. A RAM table that contains station names and alarm 
priority levels. The user can add names, change alarm thresholds, and delete 
stations. Station addresses are added automatically as the Ethernet Monitor 
detects them on the network. The user can also add them manually with an 
ASCII text editor. 


Display functions. Displays collected statistics in various ways (views). 


Appendix B. Ethernet Monitor Functional Overview 


P. Report functions. Uses report scripts to generate reports to the screen, toa 
printer, or to disk. Report script files define which text and statistics display 
and how they are arranged on the screen or page. 


Q_ Network interface card (NIC) #2. This card is optional; you can use it to query 
stations for names that are assigned by the NetBIOS protocol or to test 
connectivity to stations running NetBIOS. 
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Appendix C. Error and Warning Messages 


Ethernet Monitor Error Messages 


The following is an alphabetical listing of error messages for the Ethernet Monitor, 
along with a brief explanation for each. Informational messages that appear 
during normal operation are not listed. 


An error was encountered while loading the report script 


Appears when you try to load an invalid report script file. Check your script and 
reload. 


Can’t concatenate fields 


Appears in the Report Script Editor view if you try to place two fields on the same 
line without any text characters between them. Place at least one space or text 
character between any two fields. 


Could not find the Ethernet monitor card 


Run the card's diagnostic and configuration software to make sure it is installed 
correctly. Verify that the monitor software is configured for the same I/O base 
address as the card. First, check the card jumpers directly. Second, select Ethernet 
monitor from the menu and terminate it if necessary (to remove the TSR program 
from memory). Third, select Ethernet monitor from the menu, then select 
Configure Ethernet monitor and verify that the I/O address is correct. 


If the monitor still fails to run, run the Sniffer analyzer to see if it also fails. 
Remember that changing the board's configuration jumpers means having to 
notify the Sniffer software of the new settings. 


Couldn’t open file 


Usually indicates that you typed the file name incorrectly. Try typing the name 
again. If you cannot open any files, check the FILES= setting in the DOS file 
CONFIG:SYS, increase the number, and reboot. 


Couldn't save station information 

Appears if the disk is full. Make room by deleting other files that may not be 
essential, such as report scripts you no longer need. 

Field too long 


Appears in the Report Script Editor view when the end of the field you want to 
include reaches past the end ofa line. Try positioning the cursor farther to the left 
or on a different line before placing the field. 
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Help file not found 


Appears if the Ethernet Monitor could not find the ENMON.HLP file in the 
ENSNIFF directory. Check any backup disks you have for this file, or call technical 
support if you can't find it. 


Network card not responding 


Indicates a problem with programming the Ethernet Monitor network interface 
card. This message can result from incorrectly installing the Ethernet Monitor 
from a configuration conflict or froma defective network interface card. Try the 
installation procedure again. If the problem persists, call Network General for 
technical support. 


No alarms to process 

Appears if you try to acknowledge or clear an alarm in the Alarm Log view when 
there are no alarms in the alarm buffer. 

No report script disk files found 


Appears if you try to load report scripts and the Ethernet Monitor cannot find any 
report script files. Copy the Ethernet Monitor sample report scripts (*.SCR) into 
the C:\CAPTURE\REPORTS subdirectory. 


No statistics have been collected 


Appears the first time you try to display statistics before you start a monitoring 
session. Press F10 (New monitor). 


Not a valid DOS file name 


Appears when you try to enter a file name that contains invalid DOS characters. 
Try typing the name again, following the DOS file name requirements. 


Send failed 


Appears when a test frame cannot be transmitted on the network. This can be the 
result of heavy network activity or a problem with the Ethernet Monitor network 
interface card. If this message appears repeatedly, try loading the Sniffer Analyzer 
and using its traffic generator function. 


The broadcast address cannot be deleted 


Appears if you try to delete the broadcast address from the station database. Select 
a different station to delete. 


The current report script contains no information. Use the Report Editor to 
create a report, or load a report from a disk file 


Appears if you try to print or save a report without first loading or editing a report 
script. Load the desired report script or create a report script, then retry. 
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The minimum filter value must be less than or equal to the maximum filter 
value 


Appears if you try to enter a minimum value that exceeds the maximum value. 
Enter a minimum filter value less than or equal to the maximum filter value. 
The value you have entered is not valid for this item 

Appears when you enter an invalid value. Most messages tell you the range of 
valid values; if not, try entering a lower or higher value. 

This feature is not available in the demonstration program 


Appears if you try to use a feature not supported by the demonstration software. 


This software has been tampered with. What you have done is illegal! 

Your software has been illegally modified and executable files were corrupted. 
Call Network General Corporation for technical support. 

Unable to print alarm log, check printer 


Appears when you try to print the alarm log and the printer does not respond. 
Make sure the printer is connected to the PC port specified by the program and 
that it is turned on and functioning properly. If it still fails, exit to DOS and verify 
that you can print to that port and device from DOS. 


Write to alarm log failed 

Appears if the disk is full. Make room by deleting other files that may not be 
essential, such as report scripts you no longer need. 

Write to file failed 

Appears if the disk is full. Make room by deleting other files that may not be 
essential, such as report scripts you no longer need. 

You must load a NetBIOS handler before you can use this feature 


Appears if you try to use the Station test option with the NetBIOS option or the 
Probe for Names option, and the Ethernet Monitor cannot find the NetBIOS 
software. (You must have a second network interface card that runs the NetBIOS 
software.) If you are sure that you are running NetBIOS, press Enter to ignore the 
message. 


You must specify a unique station 


Appears if you try to send a test frame with either a Broadcast or Multicast address 
as the destination address. Select an individual station as the destination address 
of a test frame. 


You must start monitoring before you can use this feature 


Appears if you try to use the Station Test option when the Ethernet Monitor is not 
monitoring. Press F10 (New monitor) to start a monitoring session, then retry. 
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The following is an alphabetical listing of warning messages that appear during 
normal operation. They provide a brief explanation of the consequences of 
proceeding and give you a chance to change your mind. 

Any changes made to station alarm configurations will be lost if you proceed 
Appears after you change alarm threshold settings and then try to reset all 
thresholds to the default settings. 

File exists 

Appears when you try to assign a report script filename that already exists. Unless 
you assign a different filename, the new report script overwrites the existing script. 
The current history statistics will be cleared if this setting is updated 


Appears when you try to change either the station for which history statistics are 
collected or the history interval during a monitoring session. To prevent losing the 
Statistics, print a report before changing these settings. 

These changes will not be saved unless you enter a name for the station 


Appears if you try to save alarm thresholds for a station that is not named. Since 
the Ethernet Monitor considers unnamed stations as intruders, you should name 
all legal stations. 


This selection will not take effect until the next monitoring session 

Appears when you change the monitor filter while monitoring to warn you that 
you will not see the results of the change until the next monitoring session. 

The Sniffer will stop monitoring if you proceed 


Appears when you try to stop a monitoring session by pressing F10 (Stop monitor). 


You have not saved the latest Report Editor session. Any changes will be lost if 
you proceed 


Appears if you try to exit the Ethernet Monitor without saving the latest report 
script you edited. 
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Appendix D. Ethernet Monitor Database Format 
The STARTUP.ENA and STARTUP.END files contain the information that 
comprises the Ethernet Monitor database. You can change the information in both 
files either with the Manage Station Information view or with an ASCII text editor. 
If you have many stations to add to the database, editing the STARTUP.END file 
with a text editor may be faster than using the Manage Station Information view. 
Note: For the STARTUP.ENA file, we recommend that you use a text editor only 
for changing the values of station alarm addresses (lines 3, 4, 5, etc.). Do not edit 
the global alarms or default station alarms (lines 1 and 2). 


Information is arranged in the following formats. To edit these files, use the 
existing file formats. 


file STARTUP.END 

station“name”’= addrtype“type” address 

Example: station “Karen” = addrtype “DLC” 02608C123456 
file STARTUP.ENA 


line1 global alarms (usage 25% over 40 secs, badpkts 65535 over 30 mins 0 secs, 
broadcast 5 over 30 mins 0 secs, idle 15 mins, unknown on) 


line2 default station alarms (usage 20%, badpkts 5, idle 1 mins, norsp 5 secs, priority 1) 
line3 station address alarms (usage 20%, badpkts 5, idle 1 mins, norsp 5 secs, priority 1) 


Example: station 02608C123456 alarms (usage 10%, badpkts 10, idle 5 mins, norsp 
5 secs, priority 2) 
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Appendix E. Ethertype Values 


The Ethernet Monitor’s STARTUP.ENT file contains the most commonly used 
ethertypes and the associated values. You can display a distribution of ethertypes 
used on your network by choosing Display/Ethertypes. Any ethertypes not in the 
STARTUP.ENT file appear under “Other.” If you want to display them, add them 
to the file. However, the Ethernet Monitor displays only the first 16 ethertypes in 
the STARTUP.ENT file. 


To edit the STARTUP.ENT file: 


You can edit the STARTUP.ENT file with any ASCII text editor. To add ethertypes 
to this file, match the existing file format: 


ethertype “name” = number 
Example: ethertype “XNS” = 0600 


This appendix lists the hexadecimal type field values, which are commonly called 
“Ethertypes.” 


The 13th and 14th octets of an Ethernet or IEEE 802.3 frame (after the preamble) 
consist of the "Type" or "Length" field. These values were originally assigned by 
XEROX. 


Some Ethertype assignments are public, others private. Current information 
includes: Xerox Public Ethernet Packet Type documentation; IEEE 802.3 Standard; 


NIC RFC 960. 

Hex 

0000-05DC IEEE 802.3 Length Field 

0200 Xerox PUP (conflicts with IEEE 802.3 Length Field range) 
0201 Xerox PUP Address Translation 

0600 Xerox NS IDP 

0800 DOD Internet Protocol (IP) 

0801 X.75 Internet 

0802 NBS Internet 

0803 ECMA Internet 

0804 CHAOSnet 

0805 X.25 Level 3 

0806 Address Resolution Protocol (ARP) (for IP and for CHAOS) 
0807 XNS Compatibility 

081C Symbolics Private 

0888-088A Xyplex 
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0900 
O0AO00 
0A01 
OBAD 
1000 
1001-100F 
1600 
4242 
5208 
6000 
6001 


6002 
6003 
6004 
6005 
6006 
6007 


6008 
6009 
6010-6014 
7000 
7002 
7020-7029 
7030 
7034 
8003 
8004 
8005 
8006 
8010 
8013 
8014 
8015 
8016 
8019 
802E 
802F 
8035 


Ungermann-Bass network debugger 

Xerox IEEE 802.3 PUP 

Xerox IEEE 802.3 PUP Address Translation 
Banyan Systems 

Berkeley Trailer negotiation 

Berkeley Trailer encapsulation for IP 
VALID system protocol 

PCS Basic Block Protocol 

BBN Simnet Private 

DEC unassigned, experimental 


DEC Maintenance Operation Protocol (MOP) Dump/Load 
Assistance 


DEC Maintenance Operation Protocol (MOP) Remote Console 
DECnet Phase IV, DNA Routing 

DEC Local Area Transport (LAT) 

DEC diagnostic protocol (at interface initialization) 

DEC customer protocol 


DEC Local Area VAX Cluster (LAVC), System Communication 
Architecture (SCA) 


DEC unassigned 

DEC unassigned 

3Com 

Ungermann-Bass download 
Ungermann-Bass diagnostic/loopback 
LRT 

Proteon 

Cabletron 

Cronus VLN 

Cronus Direct 

HP Probe protocol 

AT&T 

Excelan 

Silicon Graphics diagnostic 

Silicon Graphics network games 
Silicon Graphics reserved 

Silicon Graphics XNS NameServer, bounce server 
Apollo DOMAIN 

Tymshare 

Tigan 

Reverse Address Resolution Protocol (RARP) 
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8036 Aeonic Systems 

8038 DEC LAN Bridge Management 

8039 DEC unassigned 

803A DEC unassigned 

803B DEC unassigned 

803C DEC unassigned 

803D DEC Ethernet CSMA/CD Encryption Protocol 

803E DEC unassigned 

803F DEC LAN Traffic Monitor Protocol 

8040 DEC unassigned 

8041 DEC unassigned 

8042 DEC unassigned 

8044 Planning Research Co. 

8046 AT&T 

8047 AT&T 

8049 ExperData 

805B VMTP (Versatile Message Transaction Protocol, RFC-1045) 
(Stanford) 

805C Stanford V Kernel, version 6.0 

805D Evans & Sutherland 

8060 Little Machines 

8062 Counterpoint Computers 

8065 University of Massachusetts, Amherst 

8066 University of Massachusetts, Amherst 

8067 Veeco Integrated Automation 

8068 General Dynamics 

8069 AT&T 

806A Autophon 

806C ComDesign 

806D Compugraphic 

806E-8077 Landmark Graphics 

807A Matra 

807B Dansk Data Elektronik 

807C Merit Internodal (or Univ of Michigan) 

807D-807F Vitalink 

8080 Vitalink TransLAN III Management 

8081-8083 Counterpoint Computers 

809B EtherTalk (AppleTalk over Ethernet) 

809C-809E Datability 
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809F 

80A3 
80A4-80B3 
80C0-80C3 
80C6 

80C7 
80C8-80CC 
80CD-80CE 
80CF-80D2 
80D3-80D4 
80D5 
80DD 
80DE-80DF 
80E0-80E3 
80E4-80F0 
80F2 

80F3 
80F4-80F5 
80F7 
80FF-8103 
8107 

8108 

8109 

8130 

8131 

8137 

8138 
8139-813D 
9000 

9001 

9002 

9003 

FFOO 


Spider Systems 

Nixdorf Computers 

Siemens Gammasonics 

DCA (Digital Comm. Assoc.) Data Exchange Cluster 
Pacer Software 

Applitek 

Intergraph 

Harris 

Taylor Instrument 

Rosemount 

IBM SNA Services over Ethernet 
Varian 


Integrated Solutions Transparent Remote File System (TRFS) 


Allen-Bradley 

Datability 

Retix 

AppleTalk Address Resolution Protocol (AARP) 
Kinetics 

Apollo 

Wellfleet 

Symbolics Private 

Symbolics Private 

Symbolics Private 

Waterloo Microsystems 

VG Laboratory Systems 

Novell (old) NetWare IPX (ECONFIG E option) 
Novell 

KTI 

Loopback (Configuration Test Protocol) 

Bridge Communications XNS Systems Management 
Bridge Communications TCP/IP Systems Management 
Bridge Communications 

BBN VITAL-LAN Bridge cache wakeups 
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Absolute usage 
definition of 25 


Acknowledging alarms 59 

Address style 4, 96 

Alarm log 36 

Alarm Log view 58, 112 

Alarm thresholds 
changing default station 51 
changing global 49 
changing station 50 
resetting 52 


ALARM.LOG file 61 


Alarms 
acknowledging 59 
audible indicators 13, 59, 62,119 
Broadcast alarm 118 
buffer limitations 57, 59 
clearing 59 
displaying 58 
global alarm thresholds 47, 118 
losing 57 
overview 57 
printing 60 
priorities 47, 112, 118 
saving to disk 61 
station alarm thresholds 47, 118 
All Stations view 30 
graphic 108 
Audible indicators 13, 59 
description of 62 
Auto clear 59, 118 
Background monitoring 13 
Bandwidth 130 
Broadcast address 38, 130 
Broadcast alarm threshold 48 
Changing 
default station alarm thresholds 51 
global alarm thresholds 49 
monitor settings 4 
network card settings 4 
station alarm thresholds 50 
Choosing menu items 8 
Class 
definition of 24 
recommendations for setting 24 
Clearing alarms 59, 60 
Clearing alarms automatically 118 
Configuration 
maximum stations 4 
monitor settings 3 
network card settings 3 
procedure 4 


Index 


RAM considerations 3, 96 
Count overflows 101 
CSV format 
definition of 76 
using 77 
Database 
alarm thresholds 47 
backup 43 
creation of 11 
default station alarm thresholds 51 
deleting stations 53 
editing 43, 45, 124 
format 141 
naming stations 45 
LattisNet users 45 
Novell users 44 
resetting alarm thresholds 125 
resetting default thresholds 52 
returning to previous version 53 
using a text editor 141 
Defining a sort key 33 
Deleting stations 53 
Display 
freezing 27 
scaling 26 
Display options 
numeric vs. graphic 24 
overview 23 
Displaying 
earlier or later history intervals 38 
ethertypes 35, 110 
frame sizes 34, 110 
global history 113 
global statistics 27, 99 
sorted statistics for all stations 32, 107 
station history 38, 116 
station statistics 29, 103 
the alarm log 36, 58, 111 
DIX Loop protocol 18, 98 
DMA Channel 3, 96 
Editing 
report script 78 
Editing report scripts 77 
ENMON.CFG file 91 
ENMON.EXE file 91 
ENMONDRYV xi 
ENMONDRV .EXE file 91 
Erasing stations 98 
Erasing statistics 37 
Errors alarm threshold (global) 48 
Errors alarm threshold (station) 47 
ERRORS report script 67, 120 
Ethernet 129 
Ethertype values 143 


Ethertypes 
displaying 35 
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Ethertypes view 111 
Executing menu items 8 
Exiting the Ethernet Monitor 125 
Filters 
refining reports 78, 83, 122 
stations to monitor 12, 98 
Frame components 129 
Frame sizes 
displaying 34 
Frame Sizes view 110 
Freezing the display 27, 29 
Function keys 10 
Functional overview 133 


Global alarm thresholds 47 
recommendations for setting 48 


Global History view 

graphic 115 

numeric 114 
Global Statistics view 26 

graphic 102 

numeric 100 
Graphic display 24 
Help system 11 
Hiding items 9 
History 

global statistics 37 

station, displaying 38 
History interval 4 
History options 12, 98 
HISTORY report script 68, 120 
I/O address 3, 96 
Identifying stations 44 
Idle alarm threshold (global) 48 
Idle alarm threshold(station) 47 
IEEE 802.2 protocol 18, 98 
Installation Selection 6 
Intruders 18 
LattisNet user hints 45 
Limitations xii 
LISTENERS report script 69, 120 
Loading a report script 75 
Losing alarms 57 
Manage Station Information view 124 
Managing the database 43 


Menu items 
choosing from lists 8 
executing 8 
turning on and off 9 


Menu structure 7 


Monitoring 
background 13 
options 98 


restricting 12 
Moving through menus 7 
Moving to the far right or left of screen 31 
Multicast address 130 


Naming stations 46 
automatically 45, 125 


NetBIOS 18, 98 

Network architecture 129 

Network interface card xi, 129 

No response alarm threshold (station) 47 
Novell user hints 44 

Numeric display 24 

Physical addresses 130 

Previewing a report 75 

Printing a report 75 

Printing alarms 60 


Reception statistics 
definition of 28 


Recommendations 
clearing alarms 59 
configuring maximum stations 4 
debugging a report script 78 
investigating high total errors 26 
learning normal network patterns 17 
naming stations 17 
printing alarms 60 
saving alarms to disk 61 
setting global alarm thresholds 48 
setting station alarm thresholds 49 
setting the class option 24 
setting the network usage option 25 
using global history statistics 37 


Relative usage 
definition of 25 


Report script 
definition of 67 
ERRORS 67 
HISTORY 68 
LISTENERS 69 
TALKERS 70 
USERLIST 72 
USERS 73 
USERSCSV 74 


Reports 
codes 80 
creating or modifying report scripts 77 
deleting lines 121 
editing a report script 78 
inserting fields 121 
inserting lines 121 
loading a report script 74 
previewing 75, 121 
printing 75 
refining appearance 84 
report script options 120 
saving a report script 85 
saving a report to disk 76 
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selecting fields to include 79 

sorting 78, 82, 121 

using and repeating special characters 
121 


using filters 78, 83, 121,122 
REPORTS \*.SCR files 92 
Resetting default station alarm thresholds 

2, 

Returning to previous version of database 53 
Saving 

a report to disk 77 

alarms to disk 61 

report scripts 85 
Scaling the display 26, 29 
Setting audible indicator thresholds 63 
Single station 

statistics 29 
Single Station view 28 

graphic 106 

numeric 104 
Sorting statistics 30, 108 
Starting a monitoring session 11, 12 
STARTUP.ENA file 92 

editing 141 
STARTUP.ENB file 92 
STARTUP.END file 43, 92 

editing 141 
STARTUP.ENI file 92 
STARTUP.ENT file 92 

editing 143 
Station 

unnamed, alarms from 18 
Station alarm thresholds 47 

recommendations for setting 49 
Station History view 

graphic 117 

numeric 117 
Station test 19, 98 
Stations 46 

deleting 53 

editing information 45 

naming automatically 45 


Statistics 
displaying 23 
global view 26 
reception 28 
transmission 28 


Statistics for all stations 
sorted 32 


Stopping a monitoring session 13 
TALKERS report script 70, 120 
Terminate Selection 6 


Testing 
connectivity 18, 98 


Transmission statistics 


definition of 28 
Troubleshooting tips 17 
Unknown station alarm 18, 48 


Usage 
definition of 25 
recommendations for setting 25 


Usage alarm threshold (global) 48 
Usage alarm threshold (station) 47 
USERLIST report 

using for identifying stations 45 
USERLIST report script 72, 120 
USERS report script 73, 120 
USERSCSV report script 74, 120 
WCOMFIG.EXE file 91 
XNS Echo protocol 18, 98 
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